b'           OFFICE OF\n\n    THE INSPECTOR GENERAL\n\n\n\nSOCIAL SECURITY ADMINISTRATION\n\n  PERFORMANCE MEASURE REVIEW:\n\n   RELIABILITY OF THE DATA USED\n\n   TO MEASURE THE TIMELINESS OF\n\n      SUPPLEMENTAL SECURITY\n\n INCOME AGED CLAIMS PROCESSING\n\n\n    MARCH 2000    A-02-99-11005\n\n\n\n\nAUDIT REPORT\n\n\x0c                             Office of the Inspector General\n\nMarch 20, 2000\n\nWilliam A. Halter\nDeputy Commissioner\n of Social Security\n\nInspector General\n\n\nPerformance Measure Review: Reliability of the Data Used to Measure the Timeliness\nof Supplemental Security Income (SSI) Aged Claims Processing (A-02-99-11005)\n\n\nTo fulfill the responsibilities of our workplan related to performance measurement, we\ncontracted PricewaterhouseCoopers (PwC) to evaluate nine of the Social Security\nAdministration\xe2\x80\x99s (SSA) Fiscal Year 1999 performance indicators that were established\nby SSA to comply with the Government Performance and Results Act.\n\nAttached is a copy of the final report on two of the performance indicators reviewed.\nThe objective of this review was to assess the reliability of the data used to measure\nperformance of the SSI aged claims process.\n\nIn addition to releasing individual reports on the performance indicators reviewed, PwC\nreleased a summary report on all of the indicators reviewed. SSA commented on the\nsummary report, Performance Measure Review: Summary of PricewaterhouseCoopers\xe2\x80\x99,\nLLP Review of the Social Security Administration\'s Performance Data (A-02-00-20024).\nAgency comments to the summary report were provided to us on January 28, 2000.\nThe comments related to the subject of this report are included in Appendix C. PwC\nreformatted the Agency comments to align them with the firm\'s recommendations\npresented in the final report. Nonetheless, SSA\'s comments were not changed during\nthe reformatting process.\n\nYou do not need to respond to this report, since you are responding to the same\ncomments attached to PwC\xe2\x80\x99s summary report. If you wish to discuss the final report,\nplease call me or have your staff contact Steven L. Schaefer, Assistant Inspector\nGeneral for Audit, at 410-965-9700.\n\n\n\n                                                James G. Huse, Jr.\n\nAttachment\n\x0cEvaluation of Selected Performance\n\nMeasures of the Social Security\n\nAdministration:\n\nReliability of the Data Used to\n\nMeasure Supplemental Security\n\nIncome Aged Claims Processing\n\nOffice of the Inspector General\nSocial Security Administration\n\n\nAgency comments to this report were provided to us on January 28, 2000. Many of the\nrecommendations made in this report are also found in earlier financial statement audit\nreports. In Appendix C, the Agency notes in its comments, \xe2\x80\x9cSince we are already taking\ncorrective actions for those that we accepted as valid, we will not be addressing the\nduplicate recommendations in this response.\xe2\x80\x9d\n\nFor the reader to be fully aware of SSA\xe2\x80\x99s comments that were made to each of the\nduplicate recommendations found in this present report, we incorporated those Agency\ncomments, that were made contemporaneous to the earlier audit report recommendations,\nas part of the Agency comments located at Appendix C of this report.\n\n\n\n\nA-02-99-11005                                                 February 18, 2000\n\x0c                         Table of Contents\n\n\nPerformance Measures Evaluation\n\n Introduction                                    1\n\n Results of Engagement                           2\n\n Other Matters                                   12\n\nAppendix A: Background                           A1\n\nAppendix B: Scope and Methodology                B1\n\nAppendix C: Agency Comments and PwC Response     C1\n\nAppendix D: Performance Measure Summary Sheets   D1\n\nAppendix E: Performance Measure Process Maps     E1\n\x0cINTRODUCTION\n\nThe Government Performance and Results Act (GPRA), Public Law Number 103-62,\n107 Statute 285 (1993), requires the Social Security Administration (SSA) to develop\nperformance indicators for fiscal year (FY) 1999 that assess the relevant service levels\nand outcomes of each program activity. GPRA also calls for a description of the means\nemployed to verify and validate the measured values used to report on program\nperformance. SSA has stated that the Office of the Inspector General (OIG) plays a\nvital role in evaluating the data used to measure performance. The OIG contracted\nPricewaterhouseCoopers (PwC) to evaluate the following GPRA performance\nindicator(s):\n\n1.\t Percent of OASI claims processed by the time the first regular payment is due,\n    or within 14 days from effective filing date, if later\n2. OASI claims processed\n3. Percent of initial SSI aged claims processed within 14 days of filing\n4. SSI aged claims processed\n5. Representative Payee Actions\n6. SSN requests processed\n7. Annual earnings items\n8. Percent of earnings posted to individuals\xe2\x80\x99 records by September 30\n9. Percentage of individuals issued SSA-Initiated PEBES as required by law\n\nTo evaluate the nine SSA performance indicators established by SSA to comply with\nGPRA, PwC was contracted to:\n\n\xe2\x80\xa2\t Gain an understanding and document the current FY 1999 system sources from\n   which data is collected to report on the specified performance measures;\n\xe2\x80\xa2\t Identify and test critical controls (both electronic data processing (EDP) and manual)\n   of current FY 1999 systems from which the specified performance data is generated;\n\xe2\x80\xa2\t Test the accuracy of the underlying FY 1998 data for each of the specified\n   performance measures;\n\xe2\x80\xa2 Recalculate each specific FY 1998 measure to ascertain its mathematical accuracy;\n\xe2\x80\xa2\t Evaluate the impact of any relevant findings from prior and current audits with\n   respect to SSA\'s ability to meet performance measure objectives; and\n\xe2\x80\xa2\t Identify findings relative to the above procedures and make suggestions for\n   improvement.\n\nThis is one of six separate stand-alone reports, corresponding to the following SSA\nprocesses, performance measures (PM), and Contract Identification Numbers (CIN):\n\n      SSI-Aged Claims (PM #3 and #4)                  A-02-99-11005\n\nThis report reflects our understanding and evaluation of the SSI aged claims process.\nThe report is organized in the following manner. The next section titled "Results of\nEngagement" identifies our findings and explains their relevance to SSA performance\n\n\n                                            1\n\n\x0cmeasurement. It also provides recommendations and suggestions for improvement.\nThe subsequent \xe2\x80\x9cOther Matters\xe2\x80\x9d section discusses the relevance of each performance\nmeasure with respect to GPRA. All other information is contained in the appendices, as\nfollows:\n\nAPPENDIX A \xe2\x80\x93 Background\nAPPENDIX B \xe2\x80\x93 Scope and Methodology\nAPPENDIX C \xe2\x80\x93 Agency Comments\nAPPENDIX D \xe2\x80\x93 Performance Measure Summary Sheets\nAPPENDIX E \xe2\x80\x93 Performance Measure Process Maps\n\n\nRESULTS OF ENGAGEMENT\n\nDuring the period of June 9, 1999 to October 1, 1999, we evaluated the current\nprocesses, systems and controls, which support the FY 1999 SSA performance\nmeasurement process. In addition, we determined the accuracy of the underlying\nperformance measure data. Since FY 1999 data were not always available, we often\nused FY 1998 data to perform our testing. Although SSA was not required to comply\nwith GPRA until FY 1999, they voluntarily reported results in the FY 1998 Accountability\nReport for SSI-Aged Claims. As a result, we were able to use our knowledge of current\nprocesses, systems, and controls to judge the accuracy of the performance measures\nbased on the FY 1998 results.\n\nOur evaluation allowed us to determine that the reported FY 1998 results of the two\nperformance measures tested (as itemized below) were reasonably stated.\n\n   Performance Measure                                     Reported Result\n   3.\t Percent of initial SSI aged claims processed within          54.2%\n       14 days of filing\n\n   4. SSI aged claims processed                                     135,422\n\n\nHowever, we did note the following eight opportunities for improvement, listed in order\nof their relative importance:\n\n1.\t SSA lacks sufficient performance measure process documentation and did not retain\n    documents to support the FY 1998 amounts\n2. SSA has a number of data integrity deficiencies\n3. SSA\'s system environment has security deficiencies\n4. This performance indicator could better reflect agency performance\n5.\t GPRA documents prepared for external evaluation of SSA performance do not\n    clearly indicate the sources or uses of the performance measures\n\n\n\n                                            2\n\n\x0c6.\t The Cost Analysis System (CAS) procedural and systems documentation have not\n    been updated\n7. SSA has systems design and documentation deficiencies\n8. SSA has a number of deficiencies in their systems contingency plan\n\nAdditionally, we evaluated the appropriateness of the nine performance measures with\nrespect to the future requirements of GPRA. As a result, we noted three areas in which\nSSA could better prepare itself to incorporate the final phases of GPRA in their\nprocesses. These results are discussed below in the Other Matters section.\n\nThese items were noted as a result of our testing the underlying performance measure\ndata, as well as the EDP and manual controls of the systems generating the\nperformance measure data, and are discussed in detail below.\n\nThroughout our evaluation of the nine performance measures, we noted the strong\ncommitment of SSA\'s staff to correctly implement GPRA.\n\n\n1.\t   SSA lacks sufficient performance measure process documentation and did\n      not retain documents to support the FY 1998 amounts\n\nGPRA requires that agencies "describe the means to be used to verify and validate\nmeasured values." Furthermore, the Office of Management and Budget (OMB) Circular\nNo. A-123, Internal Control Systems, requires that "documentation for transactions,\nmanagement controls, and other significant events must be clear and readily available\nfor examination." Finally, National Institute of Standards and Technology (NIST) Special\nPublication 800-18, 5.MA.7, requires that system documentation be maintained as part\nof a formalized security and operational procedures record. Therefore, agencies must\nestablish a clear methodology for verifying performance measure values, and retain the\nappropriate documentation to enable an audit of their performance measure values\nbased on the methodology. Although this requirement was not effective for the FY 1998\nAccountability Report, it is effective beginning in FY 1999.\n\nWhile general policies and procedures exist for all documents produced at SSA (as\nfound in the SSA Administrative Instructions Manual System/Operational and\nAdministrative Record Schedules), SSA does not have formal policies and procedures\nin place regarding the retention of performance measure documentation. During\ntesting, we noted that SSA lacked sufficient documentation regarding the processes\nsurrounding the accumulation and generation of performance indicator data.\nFurthermore, SSA could not consistently provide the documentation necessary to verify\ntheir performance measure values as reported in their FY 1998 Accountability Report.\n\nSpecifically, we noted that SSA was unable to provide a comprehensive process map\ndocumenting the flow of performance measure data from the receipt of an SSI claim,\nthrough the Supplemental Security Record system (SSR, the system of record), through\nthe SSI Claims Exception Control System, to the accumulation of yearly performance\n\n\n\n                                           3\n\n\x0cmeasure data in the Cost Analysis System (CAS). Additionally, during our effort to map\nthe process, we received discrepant information implying two possible data flows in the\nmanagement information systems. We have mapped the process in Appendix E by\ntracing the flow of data upstream. However, we believe that both paths produce\nequivalent results. Nevertheless, this discrepancy further underscores the need for\nclear performance measure documentation. Furthermore, we were unable to evaluate\nthe systemic flow of data from the SSR to the SSI Claims Exception Control System.\nWithout this information, we had to use FY 1999 data to assess the reasonableness of\nthe performance measure.\n\nIf SSA does not establish a methodology for verifying performance measure values and\ninstitute an adequate document retention system, they will be in compliance with GPRA.\nFurthermore, a significant lack of documentation does not provide a proper audit trail to\nfacilitate verification of the performance measures as required by GPRA.\n\nRecommendations:\nWe recommend that SSA expand the role of Office of Strategic Management (OSM)\nwith respect to performance measures or place ownership for the performance measure\nprocess and reporting within an organizational unit. In either case, data ownership\nwould still remain with the user organizations. However, an organizational unit should\nbe accountable for the overall performance measure processes and results. Their\ncharter should include the following responsibilities:\n\n\xe2\x80\xa2\t Identify and document the processes surrounding the generation and accumulation\n   of performance measure values. This would establish a clear method for verifying\n   and validating the performance measures\n\n\xe2\x80\xa2\t Establish policies and procedures surrounding the retention of performance measure\n   documentation. The documentation retained should allow for the timely verification\n   of the performance measure values, and should be maintained for at least one year\n\n\xe2\x80\xa2\t As new systems are developed, evaluate their potential impact on the accumulation\n   of performance measure data. Systems with potential impact should be designed to\n   include the means of producing a verifiable audit trail to validate the performance\n   measure results as they are defined in the Accountability Report\n\n\n2.    SSA has a number of data integrity deficiencies\n\nOMB Circular No. A-127, Financial Management Systems, requires that a Federal\nAgency\'s systems include a system of internal controls to ensure that the data used to\nproduce reports is reliable. During our FY 1999 Financial Audit, we noted a number of\ndata integrity deficiencies that result in a lack of control over both the input and\nmaintenance of data, as well as the resolution of suspense items. While an adverse\neffect upon performance measure data was not observed during our testing, this lack of\n\n\n\n\n                                            4\n\n\x0ccontrol can affect the validity and completeness of the performance measures as\nfollows:\n\n\xe2\x80\xa2\t When DACUS (Death, Alert, and Control Update System) receives death information\n   and compares it to SSA\xe2\x80\x99s NUMIDENT, MBR, SSR, and Black Lung databases\n   without a successful match, the record is posted to the DACUS exception file.\n   However, no subsequent follow-up is performed on items in this exception file to try\n   to resolve any matches that may not have been detected based on the automated\n   matching algorithm. While this data may not have a direct effect on the performance\n   measures, a noted lack of data verification in these databases indicates the\n   possibility that other data lacks integrity\n\n\xe2\x80\xa2\t SSA\xe2\x80\x99s current practice of obtaining death data does not ensure that this data is\n   entered into DACUS accurately, timely, and only once (affects the NUMIDENT,\n   MBR, and SSR). While this data may not have a direct effect on the performance\n   measures, a noted lack of data verification in these databases indicates the\n   possibility that other data lacks integrity\n\n\xe2\x80\xa2\t A comparison of the MBR, SSR, and NUMIDENT identified a large number of cases\n   where either the individual was alive and in current pay status on the MBR/SSR but\n   listed as dead on the NUMIDENT, or the corresponding records of a given individual\n   had significant differences in dates of death. While this data may not have a direct\n   effect on the performance measures, a noted lack of data verification in these\n   databases indicates the possibility that other data lacks integrity\n\n\xe2\x80\xa2\t A comparison of the MBR, SSR, and NUMIDENT identified a large number of cases\n   where the corresponding records of a given individual had significant differences in\n   dates of birth. While this data may not have a direct effect on the performance\n   measures, a noted lack of data verification in these databases indicates the\n   possibility that other data lacks integrity\n\nRecommendations:\nAs previously stated in the FY 1999 Accountability Report, we recommend the following:\n\n\xe2\x80\xa2\t SSA should develop policies and procedures for the resolution of unmatched items\n   in DACUS and establish a work group with primary responsibility for resolution. One\n   of the duties of this group should be to analyze patterns in exceptions and facilitate\n   the implementation of changes to the automated matching algorithm to make it more\n   effective\n\n\xe2\x80\xa2\t SSA should implement: 1) initiatives to reduce the amount of time required by\n   outside sources for submitting death notifications, such as the electronic death\n   certificate project currently being tested; and, 2) a method to prevent the submission\n   or receipt of duplicate information, whether submitted from the same or different\n   sources (DACUS, NUMIDENT, MBR, SSR)\n\n\n\n                                            5\n\n\x0c\xe2\x80\xa2\t With the completion of the Year 2000 project in FY2000, SSA should begin\n   implementation of DACUS Release 2 (a high priority of SSA\xe2\x80\x99s five-year IRM plan), to\n   provide functionality to automatically delete NUMIDENT death postings when a\n   person is \xe2\x80\x9cresurrected\xe2\x80\x9d on the MBR and SSR (NUMIDENT, MBR, SSR)\n\n\xe2\x80\xa2\t SSA should firm up plans to implement the ICDB R2 functionality for the SSI system\n   (SSR) to provide updated (substantiated) date of birth information to the NUMIDENT\n   (NUMIDENT, MBR, SSR)\n\n\n3.       SSA\'s system environment has security deficiencies\n\nWe noted in our FY 1999 Financial Audit that SSA\xe2\x80\x99s systems environment remains\nthreatened by weaknesses in several components of its information protection internal\ncontrol structure. Because disclosure of detailed information about these weaknesses\nmight further compromise controls, we are providing no further details here. Instead,\nthe specifics are presented in a separate, limited-distribution management letter, dated\nNovember 18, 1999. The general areas where weaknesses were noted are:\n\n\xe2\x80\xa2\t The entity-wide security program and associated weaknesses in developing,\n   implementing and monitoring local area network (LAN) and distributed systems\n   security;\n\n\xe2\x80\xa2    SSA\xe2\x80\x99s mainframe computer security and operating system configuration;\n\n\xe2\x80\xa2    Physical access controls at non-headquarter locations; and\n\n\xe2\x80\xa2\t Certification and accreditation of certain general support and major application\n   systems.\n\nUntil corrected, these weaknesses will continue to increase the risks of unauthorized\naccess to, and modification or disclosure of, sensitive SSA information. While these\nweaknesses do not directly affect the performance measures, a risk still exists.\nUnauthorized access to sensitive data can result in the loss of data associated with\nSSA\xe2\x80\x99s enumeration, earnings, retirement, and disability processes and programs, thus\naffecting all performance measures.\n\nRecommendations:\nAs previously reported in the FY 1999 Accountability Report, we recommend that SSA\naccelerate and build on its progress to enhance information protection by further\nstrengthening its entity-wide security as it relates to implementation of physical and\ntechnical computer security mechanisms and controls throughout the organization. In\ngeneral, we recommend that SSA:\n\n\xe2\x80\xa2    Reevaluate its overall organization-wide security architecture;\n\n\n\n                                              6\n\n\x0c\xe2\x80\xa2\t Reassess the security roles and responsibilities throughout the organization\xe2\x80\x99s central\n   and regional office components;\n\n\xe2\x80\xa2\t Assure that the appropriate level of trained resources are in place to develop,\n   implement and monitor the SSA security program;\n\n\xe2\x80\xa2\t Enhance and institutionalize an entity-wide security program that facilitates\n   strengthening of LAN and distributed systems\xe2\x80\x99 security;\n\n\xe2\x80\xa2    Review and certify system access for all users;\n\n\xe2\x80\xa2\t Enhance procedures for removing system access when employees are transferred\n   or leave the agency;\n\n\xe2\x80\xa2    Decrease vulnerabilities in the mainframe operating system configuration;\n\n\xe2\x80\xa2    Implement the mainframe monitoring process;\n\n\xe2\x80\xa2    Finalize accreditation and certification of systems;\n\n\xe2\x80\xa2\t Develop and implement an ongoing entity-wide information security compliance\n   program; and\n\n\xe2\x80\xa2    Strengthen physical access controls at non-headquarters sites.\n\nMore specific recommendations are included in a separate, limited-distribution\nmanagement letter, dated November 18, 1999.\n\n\n4.      This performance indicator could better reflect agency performance\n\nGPRA requires Federal agencies to "establish performance indicators to be used in\nmeasuring or assessing the relevant outputs, service levels, and outcomes of each\nprogram activity." Accordingly, the performance measures used should clearly\nrepresent the outcome of the related performance goal. While GPRA-based metrics are\nintended as external performance measurement tools, this must be balanced by an\norganization\'s ability to measure and improve its own performance from within. For\nPerformance Measure #3, SSA defines the measure as the number of SSI-Aged\napplications completed (approved or denied) by the time the first regular continuing\npayment is due, or within 14 days of the effective filing date, if later, divided by the total\nnumber of SSI-Aged applications processed during the fiscal year.\n\nAn application is considered timely and is included in the numerator if it meets the\n"Service Delivery Objective." This definition implies two scenarios. In the first scenario,\nthe claimant is applying for continuing benefits well in advance of the first regular\ncontinuing payment due date. The Service Delivery Objective is considered to be\n\n\n                                               7\n\n\x0csatisfied if the application is completed and approved by that payment due date. In the\nsecond scenario, the claimant is either making his/her first application or is applying for\ncontinuing benefits 14 days or less prior to the first regular continuing payment due date\nor anytime after that date. In this case, the Service Delivery Objective is satisfied if the\napplication is completed and approved within 14 days.\n\nThis latter scenario illustrates how this performance measure is susceptible to factors\noutside of SSA\'s control. In assessing how the service delivery time is measured (in\nmost cases other than advance filings), the clock starts when the claimant initially\nmakes contact with the field office and it stops when the claims system finalizes a\ndecision. However, this measure is further complicated because the start time varies\ndepending on when the claim is processed.\n\nNevertheless, the claimant has a considerable influence over the outcome because\nSSA must rely upon him/her to show up for interviews and bring the necessary\ndocumentation. As a result, SSA is measuring the performance of both the claimant\nand the field office. SSA has suggested plausible explanations for using the current\ndefinition. For example, one SSA representative suggested that the existing measure\nwas partially designed to ensure that field offices could provide interview slots on a\ntimely basis when claimants called to schedule interview appointments. While this is\ncertainly a noble objective, it can be measured by using a more direct metric.\n\nThis performance measure exposes the agency to other outside factors, as well. Many\nof the SSI claims are teleclaims, which are sent through the mail to the client for review\nand signature, and then back through the mail to the field office. As a result, the metric\nincludes measurement of the postal system, which is also beyond SSA\'s control. To the\nagency\'s credit, they have deliberately excluded mail time from other performance\nmeasures, such as the one measuring SSN request processing time.\n\n\nThis is further magnified if the metric is used to compare the performances of the field\noffices. While it is valid to expect SSA field offices to provide roughly equivalent levels\nof service, the inclusion of the claimants can potentially skew the measure based on\ndiffering demographics served by those field offices. In other words, variations in\ndemographics might lead to variations in how well the claimants perform in providing the\nnecessary information and making it to interviews.\n\nIn addition, this performance measure covers many activities or process steps that fall\nunder different areas of responsibility (the applicant, the field office, the MCS system,\netc.) In certain situations, such a performance measure becomes more useful if it stops\nwhen the locus of responsibility changes, otherwise it may be difficult to locate problems\nor diagnose bottlenecks.\n\n\n\n\n                                             8\n\n\x0cRecommendations:\nWe recommend that the performance measure be redefined so that it does not expose\nthe agency to such a high degree of outside factors, thus placing the responsibility to\nperform solely on SSA.\n\n\n5.\t   GPRA documents prepared for external evaluation of SSA performance\n      could better document the sources of the performance measures\n\nSince FY 1999, OMB circular A-11, Preparation and Submission of Strategic Plans,\nAnnual Performance Plans, and Annual Program Performance Reports, states that "the\nannual plan must include an identification of the means the agency will use to verify and\nvalidate the measured performance values." This suggests that an agency should detail\nthe source of performance data. SSA\'s documents prepared for external reporting,\nincluding the 1997-2002 Strategic Plan, the FY 2000 Annual Performance Plan, and the\nFY 1998 Annual Accountability Report, could better document the SSA sources used to\nobtain the performance measures we evaluated.\n\nIn the case of three performance measures, the FY 2000 Annual Performance Plan, the\nmost recent document at the time of this evaluation, does list a data source for\nPerformance Measure #1 as "The End-of-Line Processing Report," a data source for\nPerformance Measure #3 as "The Title XVI Processing Time System," and a data\nsource for Performance Measure #8 as the "Earnings Posted Overall Cross Total/Year\nto Date System (EPOXY)." However, the external stakeholder is not told of the origin of\nthese documents or of the underlying processes and programmatic systems that\nproduce the reported metrics. Furthermore, the sources of the other six measures are\nnot clearly indicated.\n\nAll nine metrics are referred to in the SSA documentation as GPRA indicators. As a\nresult, OMB Circular A-11, Section 220.12, requires that they be documented. By\nimproving the description of the sources, SSA would enhance the credibility of the\nunderlying data used to formulate each performance measure.\n\nRecommendation:\nWe recommend that SSA develop clear and concise descriptions of each performance\nmeasure\'s source. As specifically recommended by OMB Circular A-11, these\ndescriptions should include:\n\n\xe2\x80\xa2\t The current existence of relevant baseline data, including the time-span covered by\n   trend data;\n\xe2\x80\xa2 The expected use of existing agency systems in the collection and reporting of data;\n\xe2\x80\xa2 The source of the measured data;\n\xe2\x80\xa2\t Any expected reliance on an external source(s) for data, and identification of the\n   source(s); and\n\xe2\x80\xa2\t Any changes or improvements being made to existing data collection and reporting\n   systems or processes to modify, improve, or expand their capability.\n\n\n                                           9\n\n\x0c6.     CAS procedural and systems documentation have not been updated\n\nOMB Circular A-127, Financial Management Systems, requires that all system\n"documentation (software, system, operations, user manuals, operating procedures,\netc.) shall be kept up- to-date" and that "system user documentation shall be in\nsufficient detail to permit a person, knowledgeable of the agency\'s programs and of\nsystems generally, to obtain a comprehensive understanding of the entire operation of\neach system. Technical systems documentation such as requirements documents,\nsystems specifications and operating instructions shall be adequate to enable technical\npersonnel to operate the system in an effective and efficient manner."\n\nDuring our FY 1999 Financial Audit testing, we noted that the procedural and systems\ndocumentation for CAS was not current, with the last update occurring in FY 1995.\nSince this last update, two major changes have occurred: (1) a reorganization that\ncombined functions of the former Cost Analysis Branch and the former Budget Systems\nBranch into the Division of Cost Analysis (DCA), and (2) migration of CAS to the\nNational Computer Center mainframe computer system. Thus, out-of-date\ndocumentation could result in a situation where new and/or existing DCA employees do\nnot have adequate reference material to assist them in the timely and successful\ncompletion of their job tasks/responsibilities. If SSA does not use CAS successfully, all\nperformance measure indicators accumulated using CAS (including #4) could be\naffected. Data relating to the relevant performance measures may not be accumulated\ncorrectly or completely. It should be noted that SSA is in the process of replacing CAS\npiecemeal. As segments are replaced, SSA has obtained current systems\ndocumentation (but not procedural documentation).\n\nRecommendations:\nWe recommend that DCA explore alternatives for acquiring the resources needed to\nupdate the existing CAS procedural and systems documentation, and to obtain\nprocedural documentation for the replacement systems.\n\n\n7.     SSA has systems design and documentation deficiencies\n\nDuring our FY 1999 Financial Audit testing, we noted specific systems design and\ndocumentation deficiencies that indicate a lack of control over both the system design\nand documentation. While these deficiencies do not have a direct effect on the\nperformance measures, a risk still exists. This lack of control affects the ability of SSA\nto effectively design, implement, and use their computer systems. If SSA is not\neffectively using their computer systems to accumulate and calculate performance\nmeasures, the resulting performance measure amounts could be affected. Our specific\nfindings were:\n\n\xe2\x80\xa2\t Full documentation of program changes evidencing user approval and testing was\n   not always maintained. In addition, user initiation of changes to production\n\n\n\n\n                                            10\n\n\x0c     programs could not be confirmed due to the absence of documentation indicating\n     who initiated the changes;\n\n\xe2\x80\xa2\t Software Engineering Technology (SET) did not establish different requirements for\n   major development projects, routine maintenance, and cyclical changes; and\n\n\xe2\x80\xa2\t SSA\xe2\x80\x99s System Security Handbook (Chapter 10 on Systems Access Security) does\n   not list all of the acceptable forms for granting access to SSA\xe2\x80\x99s computerized\n   systems and data.\n\nRecommendations:\nAs previously stated in the FY 1999 Accountability Report, we recommend the following:\n\n\xe2\x80\xa2\t SSA should complete implementation of it\'s Validation Transaction Tracking System\n   (VTTS) and continue with its plan to automate the process for submitting System\n   Release Certification (SRC) forms\n\n\xe2\x80\xa2\t SSA should complete implementation of Platinum\'s Process Engineering Tool (PET)\n   and institutionalize Carnegie Mellon\'s Software Engineering Institute\'s Capability\n   Maturity Model (CMM) methodology\n\n\xe2\x80\xa2\t SSA should update its System Security Handbook (Chapter 10 on Systems Access\n   Security) to address all of the acceptable forms for granting access to SSA\xe2\x80\x99s\n   computer systems and data\n\n\n8.      SSA has a number of deficiencies in their systems contingency plan\n\nAs a result of the FY 1999 financial audit, we noted a number of deficiencies which, in\nour view, would impair SSA\xe2\x80\x99s ability to respond effectively to a disruption in business\noperations as a result of a disaster or other long-term crisis. Although SSA has\nperformed a Business Impact Analysis, its list of critical workloads is still being finalized,\nand recovery time objectives (RTOs) have not yet been established for each of the\ncritical workloads. Consequently, SSA has not established recovery priorities for all of\nits systems in the mainframe and distributed environments. Further, the plan for\nrecovering the critical workloads still needs to be fully tested. Finally, SSA has not fully\nupdated the contingency plans for the headquarters site or finalized and tested\ncontingency plans for non-headquarters sites.\n\nWhile deficiencies in a contingency plan does not directly affect performance measures,\na risk still exists. A failure to respond effectively to a disruption through proven recovery\nprocedures could affect both the quality and quantity of data used in the accumulation\nand calculation of all performance measures.\n\nRecommendations:\nAs previously stated in the FY 1999 Accountability Report, we recommend that SSA:\n\n\n                                              11\n\n\x0c\xe2\x80\xa2\t Finalize the list of critical SSA workloads and fully test the plans for recovering each\n   workload;\n\n\xe2\x80\xa2     Establish RTOs for each critical workload;\n\n\xe2\x80\xa2\t Establish recovery priorities for all systems and applications (mainframe and\n   distributed);\n\n\xe2\x80\xa2     Update contingency plans for headquarters;\n\n\xe2\x80\xa2\t Finalize and test SSA\xe2\x80\x99s ultimate strategy for implementing and maintaining alternate\n   processing facilities; and\n\n\xe2\x80\xa2     Finalize and test contingency plans for non-headquarters sites.\n\n\nOTHER MATTERS\n\nAs part of this evaluation, PwC was tasked to evaluate the appropriateness of the\nperformance measures. In this section, we discuss the relevance of each performance\nmeasure with respect to GPRA and look to the future by evaluating SSA\'s readiness to\nincorporate the final phases of GPRA into their processes.\n\n1.\t      Documents prepared for external evaluation of SSA performance could be\n         improved to clearly explain the intended uses of the performance measures\n         to comply with future GPRA requirements\n\nThe United States General Accounting Office (GAO) encourages agencies to "include\nexplanatory information on the goals and measures." 1 In addition, best practices in\nperformance measurement dictate that agencies should provide external stakeholders\nwith such information. Furthermore, it can be expected that agencies will be required to\nprovide such information in the near future as GPRA continues to evolve.\n\nOver the past few years, SSA has continuously improved their performance planning\ndocuments by adding in-depth discussions on their strategies and key performance\nindicators. With respect to the performance metrics studied as part of this evaluation,\nhowever, the 1997-2002 Strategic Plan, the FY 2000 Performance Plan, and the FY\n1998 Annual Accountability Report do not clearly explain the intended purpose of each\nperformance measure with respect to evaluating overall SSA performance. In each\ncase, the documents clearly associate each metric with the strategic goals and\nobjectives that they support, but they do not explain to the external stakeholder exactly\nhow they are applied.\n\n\n\n1\n    GAO/GGD/AIMD-99-69, "Agency Performance Plans"\n\n\n                                             12\n\n\x0cDescribing the use of these performance measures would help to clarify the overall\nobjectives of the SSA strategic planning process and would clarify how the subject\nmetrics fit into that process.\n\nIn a July 1999 report2, the General Accounting Office (GAO) rated Fiscal Year 2000\nAnnual Performance Plans of all federal agencies in three key elements of \xe2\x80\x9cinformative\nperformance plans:\xe2\x80\x9d\n\n1. Clear pictures of intended performance\n2. Specific discussion of strategies and resources\n3. Confidence that performance information will be credible\n\nAlthough SSA was considered relatively strong as compared to most other agencies,\ntheir weakest ratings were received for the categories of "Degree of Confidence that\nPerformance Information will be Credible" and "Specificity of Strategic Resources." Our\nobservations were consistent with these findings (see Item #5 in previous section,\nResults of Engagement). However, if SSA develops clear and concise descriptions of\neach performance measure\'s source and its intended strategic use, we believe they can\nbolster their future GAO ratings relative to informative performance plans.\n\n\n\n2.\t      The nine performance measures are not explicit performance budgeting\n         metrics, but are nonetheless appropriate internal performance indicators\n         and are useful to the SSA strategic planning process\n\nAn important intent of GPRA in the future is to facilitate performance budgeting, which\nwill allow Federal agencies to allocate resources in an effort to achieve "optimal" results.\nConsequently, agencies must develop measures that will help external stakeholders\nsuch as Congress to match resources to performance.\n\nUnder GPRA requirements, an agency must rely on two distinctive types of measures:\n\n         Outcome performance measures. These measures are intended to gauge the\n         effectiveness of the organization at fulfilling its strategic goals. Often, however,\n         these performance measures are not completely under the span of influence of\n         the organization. Consequently, while they represent good measures of the\n         accomplishment of a strategic goal, they do not reflect the success of an\n         organization in contributing to the achievement of the goal.\n\n         Workload and output performance measures.3 These measures are used to\n         gauge the level of effort required for a given activity, including characteristics\n         established as performance standards (e.g., Percent of OASI claims processed\n2\n    GAO/GGD/AIMD-99-215, July 1999.\n\n3\n  The SSA documentation refers to such metrics strictly as outputs, but that is merely a matter of\n\nsemantics. In either case, they refer to a level of effort for a given activity.\n\n\n\n                                                13\n\n\x0c      by the time the first regular payment is due or within 14 days from effective filing\n      date, if later).\n\nWhile outcome performance measures are often more accurate indicators of the\nsuccess or failure of an organization\'s strategic goals, it is workload and output\nmeasures that fall under an organization\'s span of influence. Consequently, workload\nand output measures are more often used in external reporting to support organizational\nactivities. However, these workload and output performance measures are seldom\nrelated to either outcomes or amount of resources spent processing the workload or\ncreating the output. As a result, they represent little value to external stakeholders\nmaking resource allocation decisions.\n\nIf viewed in isolation, none of the nine performance measures considered on this project\nwould suffice as explicit outcome performance measures for external stakeholders to\nuse in a resource allocation or performance budgeting oversight role. However, that is\nnot to say that these measures are not of value. In fact, they indicate to external\nstakeholders, including congressional appropriators, customers, policy makers, and the\ngeneral public, how effective SSA is at fulfilling its overall mission. More importantly,\nthey serve a useful internal purpose in the SSA performance planning process. For\nexample, many of the measures we analyzed (Performance Measures 2, 4, 5, 6, and 7)\nare workload counts, which are important for individual program managers when\nmaking management decisions.\n\n      Performance Measure #3. The FY 2000 Annual Performance Plan uses this\n      metric to support the strategic objective "to raise the number of customers who\n      receive service and payments on time, specifically by 2002", which, in turn,\n      supports the strategic goal to provide world class service. This measure is not\n      particularly valuable to an external stakeholder for performance budgeting\n      because it does not relate resource utilization to outputs or outcomes. However,\n      this measure is clearly useful as an internal indicator, particularly with respect to\n      the strategic objectives it supports and it does help to indicate the overall\n      effectiveness of SSA at fulfilling its mission.\n\n      Performance Measure #4. The FY 2000 Annual Performance Plan (Appendix 1)\n      uses this metric as "Output Measures for Major Budgeted Workloads" to support\n      the strategic objective "to deliver customer-responsive world-class service."\n      However, it is not clear how it accomplishes this.\n\n      This measure is not particularly valuable to an external stakeholder for\n      performance budgeting because it does not relate resource utilization to an\n      output or outcome. However, it is clearly not intended for that purpose because\n      the SSA documentation identifies it as an output measure for workload and this\n      measure does help to indicate the overall effectiveness of SSA at fulfilling its\n      mission.\n\n\n\n\n                                            14\n\n\x0cTo SSA\'s credit, they have developed a number of useful performance measures in the\nspirit of GPRA and have discussed them in proper detail in the FY 2000 Performance\nPlan. 4 As we have shown, the nine performance measures covered by this project can\nnot be considered as true high-level, external measures. Nevertheless, they do appear\nto have specific uses, as discussed above. Again, SSA would benefit the external\nstakeholder by clarifying exactly what these intended uses are (see \xe2\x80\x9cOther Matters\xe2\x80\x9d item\n#1).\n\n3.\t    SSA is positioned to be a leading performance-based budgeting\n       organization and to meet the future requirements of GPRA\n\nSince 1988, SSA has an established history of strategic planning, using specific\nperformance measurements. Building on this history, SSA implemented GPRA\'s\nrequirements for strategic planning, performance planning, and performance reporting.\nOne of GPRA\'s ultimate objectives is to facilitate performance budgeting, which will\nallow Federal agencies to allocate resources in an effort to achieve "optimal" results.\nConsequently, to help external stakeholders such as Congress match resources to\nperformance, agencies must eventually develop performance measures that are linked\nto resource requirements.\n\nPerformance budgeting is the analysis of performance measurement data for the\npurpose of allocating budgetary resources more effectively. Specifically, performance\nbudgeting for GPRA is complete upon the submission of multiple resource-to-result\nscenarios within one annual budget.\n\nThe final stage of GPRA implementation is the successful piloting of performance\nbudgeting at no less than five federal agencies. Currently, few federal agencies are\ncapable of acting as a performance budgeting pilot and this final stage of GPRA has\nconsequently been delayed. However, the Office of Management and Budget (OMB)\nhas recently designated SSA as one of the government-wide performance budgeting\npilot projects. Within SSA, the Continuing Disability Reviews program is the specific\nactivity covered by this designation. OMB considers the performance budgeting pilot\nprojects to be an opportunity to examine the feasibility and potential application of\nseveral approaches to performance budgeting. In this context, OMB intends to use\nperformance and resource data provided by the pilots during development of the FY\n2001 budget and to report to Congress on the results of the pilots no later than March\n31, 2001, as required by GPRA. With proper planning and preparation, SSA is uniquely\npositioned to be one of the first truly successful performance-based budgeting\norganizations.\n\n\n\n\n4\n  In earlier documents, such as the FY 1998 Accountability Report, SSA presented the\nperformance measures in a manner that seemed to give each one equal weight. In the more\nrecent documents, however, SSA has placed greater emphasis on the more high-level, outcome\noriented performance measures.\n\n\n                                            15\n\n\x0cIn anticipation of the next phase of GPRA, we believe SSA needs to develop a suitable\nperformance budgetary model by combining cost accounting concepts with performance\nmeasurement methodology. A high-level description of one possible model is listed\nbelow:\n\n\xe2\x80\xa2 SSA defines a set of reporting segments that represent all of their work.\n\xe2\x80\xa2 SSA maps their performance measurements to these specific reporting segments.\n\xe2\x80\xa2\t SSA calculates person-hours associated with these reporting segments, so that all\n   personnel within SSA are accounted for in the model.\n\xe2\x80\xa2\t SSA builds the model around this data to allow for current resource to\n   workload/result analysis and future resource to workload/result forecasting.\n\nSSA could build this model at any level of detail: by resource type, resource location, or\nany other classification methodology. By linking resources to performance goals at this\nlevel of detail, SSA would thus satisfy the annual performance-planning requirement for\nspecificity of strategies and resources, while striving to become the first agency to\nsuccessfully implement performance budgeting.\n\n\n\n\n                                            16\n\n\x0c                           APPENDICES\n\n\nAPPENDIX A \xe2\x80\x93 Background\n\nAPPENDIX B \xe2\x80\x93 Scope and Methodology\n\nAPPENDIX C \xe2\x80\x93 Agency Comments\n\nAPPENDIX D \xe2\x80\x93 Performance Measure Summary Sheets\n\nAPPENDIX E \xe2\x80\x93 Performance Measure Process Maps\n\n\x0c                                                                              Appendix A\n\n                             BACKGROUND\n\nGovernment Performance and Results Act\n\nThe Government Performance and Results Act (GPRA) was enacted to increase\naccountability in the Federal agencies. Prior to GPRA, Federal agencies lacked well-\ndefined program goals and adequate feedback regarding program performance. This\nhindered Federal agencies in their efforts to increase program efficiency and\neffectiveness, and prevented them from being accountable. Furthermore, this lack of\naccountability on the part of the Federal managers prevented Congress from making\ninformed budgetary decisions. In order to increase accountability, GPRA required\nFederal agencies to develop 5-year strategic plans, annual performance plans, and\nannual performance reports.\n\n Strategic plans define an agency\'s mission in terms of their major functions and\noperations. The agency\'s goals and objectives, and how they will be achieved by the\nagency, must be included in their strategic plan. The strategic plan also describes the\nquantifiable performance measures to be used by the agency, and how they relate to\nthe agency\'s goals and objectives.\n\nAnnual performance plans establish objective, quantifiable, and measurable\nperformance goals for an agency. These plans also describe the operational processes\nand resources necessary to meet the performance goals, establish performance\nindicators to measure the relevant outcomes, and provide a basis for comparing the\noutcomes with the performance goals. The annual performance plans also provide a\nmeans to validate and verify the measured outcomes.\n\nAnnual performance reports compare the actual program performance achieved with\nthe performance goals for each performance indicator defined in the agency\'s annual\nperformance plan. These reports contain the agency\'s evaluation of their performance\nplan relative to the performance achieved during the fiscal year. If performance goals\nhave not been met, the agency must include an explanation, as well as a plan for\nachieving the performance goals in the future. Alternatively, if the agency believes the\ngoals are impractical, they would include their rationale and recommended alternatives\nin the annual performance report.\n\nSSA\'s Performance Measures\n\nThe Social Security Administration (SSA) defined five strategic goals in it\'s FY 1998-\n2002 strategic plan, Keeping the Promises:\n\n1.\t Promote valued, strong, and responsive social security programs and conduct\n    effective policy development, research, and program evaluation\n\n\n                                           A-1\n\n\x0c2. Deliver customer-responsive, world-class service\n3.\t Make SSA program management the best in the business, with zero tolerance for\n    fraud and abuse\n4. Be an employer that values and invests in each employee\n5. Strengthen public understanding of the social security programs\n\nFor each strategic goal, SSA\'s strategic plan also defined specific objectives to achieve\neach of the goals.\n\nSSA\'s FY 1998 annual GPRA performance report, published as part of their FY 1998\nAccountability Report, includes actual performance data and goals for 57 performance\nmeasures. PricewaterhouseCoopers was engaged to evaluate nine specific\nperformance indicators found in SSA\'s FY 1998 Accountability Report. The\nperformance indicators (or performance measures, as they are referred to in the\nAccountability Report) are as follows:\n\n1.\t Percent of OASI claims processed by the time the first regular payment is due or\n    within 14 days from effective filing date, if later\n2. OASI claims processed\n3. Percent of initial SSI aged claims processed within 14 days of filing\n4. SSI aged claims processed\n5. Representative payee actions\n6. SSN requests processed\n7. Annual earnings items\n8. Percent of earnings posted to individuals\xe2\x80\x99 records by September 30\n9. Percent of individuals issued SSA-Initiated PEBES as required by law\n\nDuring testing, it was noted that the nine performance measures could be defined by six\ndistinct processes. The systematic flow of information for three of the measures was\nalmost identical to the flow of information for three other measures. Furthermore, these\ngroupings match those that the OIG has selected for generating their upcoming reports.\nThe six processes are as follows:\n\n1.    RSI claims (performance measures #1 and #2)\n2.    SSI aged claims (performance measures #3 and #4)\n3.    Representative payee actions (performance measure #5)\n4.    SSN requests processed (performance measure #6)\n5.    Annual earnings items (performance measures #7 and #8)\n6.\t   Percent of individuals issued SSA-Initiated PEBES as required by law (performance\n      measure #9)\n\nThis report represents our understanding and evaluation of the SSI aged claims\nprocess.\n\nThe SSI aged claims process encompasses performance measures #3 and #4.\nPerformance measure #3, percent of initial SSI aged claims processed within 14 days of\n\n\n\n                                           A-2\n\n\x0cfiling, determines whether the SSI claims process is functioning in a timely and accurate\nmanner. The objective is to raise the number of customers who receive service and\npayments on time, which relates to the strategic goal regarding delivery of customer-\nresponsive world-class service.\n\nThis performance measure is presented as a percentage. The numerator is defined as\nthe total number of Initial SSI Aged applications completed (both approved and denied)\nthrough the SSA operational system before the first regular continuing payment is due,\nor not more than 14 days from the filing date (see explanation below), if later. The\ndenominator is defined as the total number of SSI aged claims processed (completed,\nboth approved and denied) for the fiscal year. The FY 1998 performance goal was 66\npercent, and SSA reported the performance result as 54.2 percent.\n\nThe calculation of processing time begins with either the effective filing date (the earliest\ndate for which benefits will be paid -- only applies to applications filed before August 22,\n1996) or the protective filing date (the date the applicant first contacts SSA), and ends\nwith the Initial Decision Date (IDD).\n\nPerformance measure #4, SSI aged claims processed, totals the number of initial SSI\naged claims processed during the fiscal year. The objective of the measure is to assist\nSSA in positioning their resources and processes to meet emerging workloads. This\nobjective relates to SSA\'s third strategic goal, to "make SSA program management the\nbest in the business, with zero tolerance for fraud and abuse".\n\nThis performance measure is presented as a workload count, and includes all SSI aged\nclaims that are completely processed during the fiscal year. The measure includes both\napproved and denied claims, and excludes pending claims. The FY 1998 performance\ngoal was 150,500 claims processed, and SSA reported the performance result as\n135,442 claims processed.\n\nPerformance measures #3 and #4 are obtained from the SSI-Aged Claims Process.\nThe flow of data is depicted in top-level form in Figure 2, and the corresponding process\nis shown in greater detail in Appendix E.\n\n                                       SSI-Aged Claims Process\n                    Modernized SSI\n           Input    Claims System\n                      (MSSICS)                                                    SSI Claims          SSI Claims\n                                         SSI Batch Update     Supplemental\n                                                                               Exception Control   Reporting System\n                                              System         Security Record\n                                                                                    Record             (SSICR)\n\n\n\n                     "Manual" Input\n           Input\n                   with CICS Screens\n\n                                                                                                    Accountability\n                                                                                  GETSSICR\n                                         SSICR Database           PM #3                                Report\n                                                                                  (SSAMIS)\n\n\n\n\n                                              PM #4\n\n\n                                          Integrated Work\n                                                                                                    Accountability\n                                           Measurement         GETWORK          Cost Analysis\n                                                                                                       Report\n                                               System          (SSAMIS)         System (CAS)\n                                               (IWMS)\n                                                            A-3\n\x0c                                        Figure 2\n\nThe major underlying programmatic system used by the Field Offices to process SSI-\nAged Claims is the Modernized SSI Claims System (MSSICS). MSSICS provides users\nwith entry screens and on-line checks, and ultimately produces transaction files for use\nby the SSI Batch Update System. However, in unique circumstances, the Field Offices\ncan also use CICS screens to manually build transaction files for batch processing.\n\nOnce the transaction files are complete, the claims are sent to the SSI Batch Update\nSystem. This system creates a new Supplemental Security Record (SSR), performs\nNUMIDENT and MBR interface checks, and triggers either an award or denial notice.\nAt this point in time, the Initial Determination Date is posted to the SSR. For awarded\nclaims, the system also computes the benefit and payment schedule.\n\nThroughout the batch process, the system provides status updates for each claim to the\nSSI Claims Exception Control System. The data for completed claims are subsequently\npassed on to the SSI Claims Reporting System (SSICR), also referred to as "T16".\n\nPerformance measure #3 is computed by SSICR as it calculates the processing time for\neach claim and compares it to the performance objective of 14 days. SSICR then\ncalculates the percentage of cases meeting the performance objective and places this\nvalue in the SSICR database. OIM then obtains PM #3 from the SSICR database using\nGETSSICR, which is part of the SSAMIS system, and subsequently provides the\nnumber to OFPO for inclusion in the Accountability Report.\n\nPerformance measure #4 is also computed by SSICR. It tabulates the counts for\ncompleted claims and places them in the SSICR database. The values are then\ntransferred electronically to IWMS. PM #4 is comprised of both welfare and non-welfare\ncomponents, which are stored in IWMS as DOWR 8 and DOWR 64, respectively. OIM\nobtains these counts from IWMS using the GETWORK module of the SSAMIS system.\nOIM then enters these counts into the Cost Analysis System (CAS), which automatically\ncomputes PM #4 by adding the two components. OFPO obtains PM #4 from CAS for\ninclusion in the Accountability Report.\n\n\n\n\n                                           A-4\n\n\x0c                                                                               Appendix B\n\n               SCOPE AND METHODOLOGY\n\nThe SSA OIG contracted PricewaterhouseCoopers to evaluate nine of SSA\'s FY 1998\nperformance indicators established to comply with GPRA. This report reflects our\nunderstanding and evaluation of the SSI aged claims process, which includes\nperformance measures #3 (Percent of initial SSI aged claims processed within 14 days\nof filing) and #4 (SSI aged claims processed). Testing was performed from June 9,\n1999 through October 1, 1999, as follows:\n\n1.\t Gain an understanding and document the sources from which data is collected to\n    report on the specified performance measures;\n2.\t Identify and test critical controls (both EDP and manual) of systems from which the\n    specified performance data is generated;\n3.\t Test the accuracy of the underlying data for each of the specified performance\n    measures;\n4. Recalculate each specific measure to ascertain its mathematical accuracy; and\n5.\t Evaluate the impact of any relevant findings from prior and current audits with\n    respect to SSA\'s ability to meet performance measure objectives; and\n6.\t Identify findings relative to the above procedures and make suggestions for\n    improvement.\n\nAs a result of our reliance on prior and current SSA audits, our report contains the\nresults of internal control testing and system control deficiencies.\n\nLimitations\nOur engagement was limited to testing at SSA headquarter. Furthermore, when\nrecalculating the specific performance measures, we used FY 1998 data except when\nSSA was unable to provide all the documentation necessary to fully evaluate the FY\n1998 performance measure amounts reported in the Accountability Report. In those\ncases, FY 1999 data was evaluated.\n\nThese procedures were performed in accordance with the AICPA\'s Statement on\nStandards for Consulting Services, and is consistent with Government Auditing\nStandards (Yellow Book, 1994 version).\n\n\n1.\t    Gain an understanding and document the sources from which data is\n       collected to report on the specified performance measures\n\nWe obtained an understanding of the underlying processes and operating procedures\nsurrounding the generation of performance measures through interviews and meetings\nwith the appropriate SSA personnel and by reviewing the following documentation:\n\n\n\n                                           B-1\n\n\x0ci Policies and procedures manual for procedures surrounding the processing,\n  accumulating, and reporting of the data for the nine performance measures;\ni PwC system walk-through descriptions;\ni SSA-provided system descriptions;\ni Internal or external reports on the nine performance measures (including OIG, GAO,\n  etc.); and,\ni Review of any of the nine performance measures performed in conjunction with prior\n  financial audits by PricewaterhouseCoopers.\n\n\n2.      Identify and test critical controls (both EDP and manual) of systems from\n        which the specified performance data is generated\n\nBased on the understanding we obtained above in Methodology #1, we identified key\ncontrols for the nine performance measures. For each of the nine performance\nmeasures, the controls surrounding the following were tested (Note: in cases where\nPricewaterhouseCoopers tested key controls as part of prior financial audits, findings\nwere updated, and testing was not reperformed):\n\nPerformance Measure #3: Percent of initial SSI aged claims processed within 14 days\nof filing\n\n\xe2\x80\xa2    Daily transmission of SSI Aged Claims to the SSI Claims Exception Control System\n\xe2\x80\xa2    Monthly transmission of SSI Aged Claims data for completed claims to the SSI\n     Claims Reporting System (SSICR)\n\xe2\x80\xa2    GETSSICR extraction process by OIM\n\xe2\x80\xa2    Applicable application controls\n\xe2\x80\xa2    Applicable general computer controls\n\xe2\x80\xa2    Resolution of DACUS (Death, Alert, and Control Update System) exception file\n\xe2\x80\xa2    Data input for DACUS\n\xe2\x80\xa2    Current procedural and systems documentation for CAS\n\nPerformance Measure #4: SSI aged claims processed\n\n\xe2\x80\xa2    Daily transmission of SSI Aged Claims to the SSI Claims Exception Control System\n\xe2\x80\xa2    Monthly transmission of SSI Aged Claims data for completed claims to the SSI\n     Claims Reporting System (SSICR)\n\xe2\x80\xa2    GETSSICR extraction process by OIM\n\xe2\x80\xa2    Applicable application controls\n\xe2\x80\xa2    Applicable general computer controls\n\xe2\x80\xa2    Resolution of DACUS (Death, Alert, and Control Update System) exception file\n\xe2\x80\xa2    Data input for DACUS\n\xe2\x80\xa2    Current procedural and systems documentation for CAS\n\n\n\n\n                                          B-2\n\x0cAll Performance Measures\n\n\xe2\x80\xa2    Formation of specific systems requirements for different major development projects,\n     routine maintenance, and cyclical changes\n\xe2\x80\xa2    Information protection control structure (system security)\n\xe2\x80\xa2    SSA\'s systemic contingency plan\n\xe2\x80\xa2    Documentation of program changes evidencing user approval and testing\n\xe2\x80\xa2    SSA\'s System Security Handbook\n\n\n3.      Test the accuracy of the underlying data for each of the specified\n        performance measures\n\nBased on the understanding we obtained above in Methodology #1, we identified key\nfiles, databases, and reports for the nine performance measures. To ensure data\navailability and to evaluate the data, Computer Assisted Audit Techniques (CAATs)\ntesting was performed for each of the nine performance measures as follows:\n\nPerformance Measure #3: Percent of initial SSI aged claims processed within 14 days\nof filing:\n\n\xe2\x80\xa2    Monthly data obtained via the GETSSICR module matches the monthly total for SSI\n     Aged Claims identified in the SSICR area;\n\xe2\x80\xa2    Traced from WMS to SSI Exception Control System to ensure accuracy of\n     transmittal;\n\xe2\x80\xa2    Performed test on segment 16 of the SSR in order to determine the percentage of\n     SSI Aged Claims processed in 15 days or more of filing date;\n\xe2\x80\xa2    Evaluated data transmittal from monthly SSICR file to the GETSSICR module;\n\xe2\x80\xa2    Evaluated data transmittal from the SSR system to the SSI Claims Exception Control\n     System;\n\xe2\x80\xa2    Compared the NUMIDENT and the SSR to ensure that individuals listed as alive and\n     in current pay status on the SSR are not listed as dead on the NUMIDENT; and\n\xe2\x80\xa2    Compared the NUMIDENT, MBR, and SSR to ensure that corresponding records for\n     a given individual have the same date of death.\n\nPerformance Measure #4: SSI aged claims processed:\n\n\xe2\x80\xa2    Monthly data obtained via the GETSSICR module matches the monthly total for SSI\n     Aged Claims identified in the SSICR area;\n\xe2\x80\xa2    Traced from WMS to SSI Exception Control System to ensure accuracy of\n     transmittal;\n\xe2\x80\xa2    Performed test on segment 16 of the SSR in order to determine the percentage of\n     SSI Aged Claims processed in 15 days or more of filing date;\n\xe2\x80\xa2    Compared the NUMIDENT and the SSR to ensure that individuals listed as alive and\n     in current pay status on the SSR are not listed as dead on the NUMIDENT; and\n\n\n\n                                           B-3\n\x0c\xe2\x80\xa2    Compared the NUMIDENT, MBR, and SSR to ensure that corresponding records for\n     a given individual have the same date of death.\n\n\n4.      Recalculate each specific measure to ascertain its mathematical accuracy\n\nBased on the understanding we obtained above in Methodology #1, we requested and\nreviewed documentation to ensure the mathematical accuracy of the nine performance\nmeasures as follows:\n\nPerformance Measure #3: Percent of initial SSI aged claims processed within 14 days\nof filing:\n\n\xe2\x80\xa2    Traced performance measure per SSICR (item #304) to the FY 1998 Accountability\n     Report.\n\nPerformance Measure #4: SSI aged claims processed:\n\n\xe2\x80\xa2    Traced the performance measure values in the FY 1998 CAS Report to the value in\n     the FY 1998 Accountability Report;\n\xe2\x80\xa2    Traced the performance measure DOWR counts from the FY 1998 DOWR Report to\n     the values in the FY 1998 CAS Report; and\n\xe2\x80\xa2    Traced the performance measure IWMS value for FY 1998 to the FY 1998 DOWR\n     count and CAS Report.\n\n\n5.      Provide OIG management with a written report identifying findings relative\n        to the above procedures, and with suggestions for improvement\n\nBased upon the evaluation performed, as outlined in the four above methodologies,\nPricewaterhouseCoopers has prepared a written report detailing the internal control\ndeficiencies in SSA\'s performance measurement systems, as well as inaccuracies in\nSSA data used to report on the nine selected performance measures.\nPricewaterhouseCoopers has also provided recommendations to address the system\ndeficiencies and data inaccuracies noted during the performance of the agreed upon\nprocedures.\n\n\n6.      Evaluate the impact of any relevant findings from prior and current audits\n        with respect to SSA\'s ability to meet performance measure objectives\n\n\nPricewaterhouseCoopers has noted five relevant findings from prior and current audits\nthat may impact SSA\'s ability to meet performance measure objectives. All findings\nwere noted in our FY 1999 financial audit. The relevant findings impact all performance\nmeasures, and are as follows:\n\n\n                                          B-4\n\x0c\xe2\x80\xa2   SSA has a number of data integrity deficiencies\n\xe2\x80\xa2   SSA\'s system environment has security deficiencies\n\xe2\x80\xa2   CAS procedural and systems documentation have not been updated\n\xe2\x80\xa2   SSA has systems design and documentation deficiencies\n\xe2\x80\xa2   SSA has a number of deficiencies in their systems contingency plan\n\n\n\n\n                                         B-5\n\x0c                                                                            Appendix C\n\n                      AGENCY COMMENTS\n\nJanuary 28, 2000\n\n\nJames G. Huse, Jr.\nInspector General\n\nWilliam A. Halter\nDeputy Commissioner\n\n\nOffice of the Inspector General (OIG) Draft Report, "OIG Performance Measure Review:\nSummary of PricewaterhouseCoopers (PwC) LLP Review of SSA\xe2\x80\x99s Performance Data\xe2\x80\x9d\n\nWe appreciate the opportunity to comment on the draft summary report. We also\nappreciate the OIG/PwC acknowledgement that SSA has developed a number of useful\nperformance measures in the spirit of the Government Performance and Results Act\n(GPRA) and has discussed them in proper detail in the FY 2000 Performance Plan.\n\nFurther, we appreciate the report\xe2\x80\x99s stated intention to provide SSA with suggestions\nwhich may assist us in preparing for the final phases of GPRA. However, we believe\nthe report should more clearly state throughout that current GPRA requirements were\nnot in effect during FY 1998, the year for which the data were examined, and that it\nwould therefore be inappropriate to extrapolate the findings to SSA\xe2\x80\x99s implementation of\nGPRA for FY 1999 or FY 2000.\n\nThe GPRA statute requires that certain elements be included in annual performance\nplans and that other elements be included in annual performance reports. GPRA\nfurther requires that agencies prepare annual performance plans that set out specific\nperformance goals for FYs beginning with 1999. It also requires that agencies report\nannually on performance compared to goals, with the first report due in March 2000, to\ncover FY 1999. As mentioned above, the requirements of GPRA, including a\ndescription of the means employed to verify and validate the measured values used to\nreport on program performance, were not in effect for FY 1998. SSA\xe2\x80\x99s efforts in this\narea were preliminary, and have significantly evolved with our FY 1999 and FY 2000\nGPRA documents.\n\nFor FY 1998, and as we were moving toward preparation of our first GPRA Strategic\nPlan and our Annual Performance Plan for FY 1999, SSA published a Business Plan.\nWe stated in our Business Plan that for FY 1998 we were including performance\n\n\n\n                                          C-1\n\x0cmeasures for which we had measurement systems in place and current performance\ninformation. We also included related output measures for several priority workloads.\n\nAlthough not a GPRA requirement, we also elected to report in our FY 1998\nAccountability Report on those FY 1998 goals which we decided to include in our FY\n1999 Annual Performance Plan. We did not however, meet all the requirements for an\nAnnual Performance Report in that document nor was it our intention to do so. We are\nconcerned that implicit in many of the report\xe2\x80\x99s recommendations is the erroneous\nconclusion that SSA should have complied, in 1998, with statutory requirements that\nwere not yet in effect. We believe that all GPRA requirements are met, as required by\nstatute, by our recently released FY 1999 GPRA Performance Report.\n\nFinally, as you know, 30 of the 40 recommendations contained in the subject audit\nreport are either exactly duplicative or very nearly duplicative of recommendations\ncontained in past financial statement audit reports. Since we are already taking\ncorrective actions for those that we accepted as valid, we will not be addressing the\nduplicate recommendations in this response. We will, of course, continue our efforts to\nimplement corrective actions, as appropriate, and to provide status reports until\ncompleted.\n\nAs you indicate, SSA is positioned to be a leading performance based budgeting\norganization and to meet the future requirements of GPRA. The Office of Management\nand Budget has designated SSA as a pilot project for performance budgeting. The\ncontinuing disability reviews program is the specific activity covered by this designation\nand the time period covered will be FY 2001. We anticipate that our participation will\nenrich the learning from the government-wide pilot with regard to the feasibility and\nimpacts of performance based budgeting.\n\nAttached are specific comments to the draft report. Staff questions may be referred to\nOdessa J. Woods on extension 50378.\n\n\n\nImprovement Area 1--SSA lacks sufficient performance measure process\ndocumentation and did not retain documents to support the FY 1998 amount.\n\nRecommendation 1\n\n1.     We recommend that SSA place ownership for the performance measure process\nand reporting within an organizational unit. Data ownership would still remain with the\nuser organizations. However, an organizational unit should be accountable for the\noverall performance measure processes and results. Their charter should include the\nfollowing responsibilities:\n\n\n\n\n                                           C-2\n\x0c\xe2\x80\xa2   Identify and document the processes surrounding the generation and accumulation\n    of performance measure values. This would establish a clear method for verifying\n    and validating the performance measures.\n\n\xe2\x80\xa2   Establish policies and procedures surrounding the retention of performance measure\n    documentation. The documentation retained should allow for the timely verification\n    of the performance measure values, and should be maintained for at least one year.\n\n\xe2\x80\xa2   As new systems are developed, evaluate their potential impact on the accumulation\n    of performance measure data. Systems with potential impact should be designed to\n    include the means of producing a verifiable audit trail to validate the performance\n    measure results as they are defined in the Accountability Report.\n\nResponse to Recommendation 1\n\nWe agree in concept with this recommendation. SSA\xe2\x80\x99s Office of Strategic Management\n(OSM) is responsible for coordinating the Agency\xe2\x80\x99s GPRA activities. In addition, we will\ncontinue to work to improve the development and retention of the kind of documentation\nneeded for external audits of our performance measures.\n\n\nImprovement Area 2--SSA has a number of data integrity deficiencies.\n\nRecommendations 2-10\n\nResponse to Recommendations 2 - 10\n\nThese recommendations are either a direct reprint of the recommendations contained in\nPricewaterhouseCoopers\' (PwC) FY 1998 Management Letter, Part 2 or a reiteration\ncontaining only minor editorial changes.\n\nRecommendation 7\n\n\xe2\x80\xa2   SSA should develop policies and procedures for the resolution of unmatched items\n    in DACUS and establish a work group with primary responsibility for resolution. One\n    of the duties of this group should be to analyze patterns in exceptions and facilitate\n    the implementation of changes to the automated matching algorithm to make it more\n    effective\n\nResponse to Recommendation 7\n\nWe agree that a workgroup should be established to determine DACUS exception\npatterns and make recommendations on changes in matching routines, as appropriate.\nThe workgroup will be led by the Office of Systems Requirements with involvement from\nothers impacted components. We have already determined that gender should be\ndeleted as a matching item and plan to implement this change before the Year 2000\n\n\n                                           C-3\n\x0cmoratorium. DACUS Release 5 will be the vehicle for implementing changes\nrecommended by the workgroup.\n\nRecommendation 8\n\n\xe2\x80\xa2   SSA should implement: 1) initiatives to reduce the amount of time required by\n    outside sources for submitting death notifications, such as the electronic death\n    certificate project currently being tested; and, 2) a method to prevent the submission\n    or receipt of duplicate information, whether submitted from the same or different\n    sources (DACUS, NUMIDENT, MBR, SSR)\n\nResponse to Recommendation 8\n\nWe partially agree with this recommendation. We agree with the first bulleted item. We\nhave provided for Systems support for an Electronic Death Certificate process in the\nappropriate 5-Year plans.\n\nWe request the auditors reconsider its recommendation contained in the second\nbulleted item. The recommendation to prevent receipt/issuance of duplicate death data\nconcerning the same individual from multiple sources is technically impossible. To\nprevent reporting duplication, it would require that all agencies have direct, interactive\naccess to the SSA databases, which is not advisable. Even that would not prevent\nindividual sources such as family members and funeral directors also from reporting on\nsomeone previously reported by an agency. (There is no way to \xe2\x80\x9creceive\xe2\x80\x9d only certain\nrecords on a given file.)\n\nSSA only pays State Bureaus of Vital Statistics for death data and then only if it is the\nfirst report of death. In future DACUS analysis efforts, we will examine the MI for State\ndata to ensure that it is properly identifying only those records for which payment is due.\n\nRecommendation 9\n\n\xe2\x80\xa2   With the completion of the Year 2000 project in FY 2000, SSA should begin\n    implementation of DACUS Release 2 (a high priority of SSA\xe2\x80\x99s five-year IRM plan), to\n    provide functionality to automatically delete NUMIDENT death postings when a\n    person is \xe2\x80\x9cresurrected\xe2\x80\x9d on the MBR and SSR (NUMIDENT, MBR, SSR)\n\nResponse to Recommendation 9\n\nWe agree. We expect to complete Year 2000 DACUS activities in early 1999. We will\nthen develop the schedule for DACUS Release 2 and include the dates in the 3/99\nupdate of the Enumeration/Client 5-Year plan.\n\nWe also would like to clarify item C as the Findings section is inaccurate. Date of death\nprocessing was not a part of Release 2 of ICDB in 8/97 for title II or XVI. However, we\ndid do a special clean-up of MBR and SSR death data to the Numident in 1998. This is\n\n\n                                           C-4\n\x0cwhat accounts for the vast drop in discrepant cases. The remaining cases failed the\nautomated matching routines, generally because of significant differences in names.\nManual investigation would have to be undertaken to determine if the individuals are\nindeed the same person. We also note that SSA policy requires investigation of date\ndiscrepancies only when they would be significant to a finding of overpayment; i.e.,\nwhen a person has already been terminated for another reason such as disability\ncessation, a later death date would have no impact.\n\nRecommendation 10\n\n\xe2\x80\xa2   SSA should firm up plans to implement the ICDB R2 functionality for the SSI system\n    (SSR) to provide updated (substantiated) date of birth information to the NUMIDENT\n    (NUMIDENT, MBR, SSR)\n\nResponse to Recommendation 10\n\nWe request the auditors reconsider its recommendation as it is inaccurate. Date of birth\nprocessing was included in ICDB Release 2 in 8/97 for both Title II and XVI initial claims\ncases; there is no outstanding need to develop this capability for SSI cases. What does\nremain is the clean-up of the pre-existing data as described in III. 6. General above.\nThat \xe2\x80\x9cmass saturation\xe2\x80\x9d was NOT done in 6/98 as stated by PwC. What was executed in\n1998 was the clean-up of existing dates of death.\n\nRecommendation 11\n\nSSA should review the MSSICS process, looking for an opportunity to implement an\nautomated date stamp for the purposes of initiating performance measurement, while\nretaining the ability to manually input or overkey each applicant\'s effective filing date.\n\nResponse to Recommendation 11\n\nWe agree with the concept of this recommendation. However, before we can agree to\nimplementation, the impact of systems resources required for implementation must be\nreviewed in light of the Agency\xe2\x80\x99s overall systems priorities. A decision concerning the\nfeasibility of including this in our 5-year plan will be made by September 2000. This will\nallow sufficient time to review systems requirements and determine resource\navailability.\n\n\nImprovement Area 3--SSA\'s system environment has security deficiencies.\n\nRecommendations 12-22\n\n\n\n\n                                             C-5\n\x0cResponse to Recommendations 12-22\n\nThese recommendations are direct reprints of findings and recommendations contained\nin PwC\xe2\x80\x99s FY 1999 report on management\'s assertion about the effectiveness of internal\ncontrol.\n\nRecommendation 12\n\nAs previously reported in the FY 1999 Accountability Report, we recommend that SSA\naccelerate and build on its progress to enhance information protection by further\nstrengthening its entity-wide security as it relates to implementation of physical and\ntechnical computer security mechanisms and controls throughout the organization. In\ngeneral, we recommend that SSA:\n\n\xe2\x80\xa2   Reevaluate its overall organization-wide security architecture;\n\nResponse to Recommendation 12\n\nSSA agrees with this recommendation and is initiating a full reassessment of its\norganization-wide security architecture to ensure that vulnerabilities, especially those\nintroduced by new technology, are being addressed. This strategic reassessment will\nallow SSA to identify any additional initiatives needed to upgrade its programs.\nEnhancements to the existing architecture resulting from this activity will be\nimplemented and communicated to all SSA components.\n\nRecommendation 13\n\n\xe2\x80\xa2   Reassess the security roles and responsibilities throughout the organization\xe2\x80\x99s central\n    and regional office components;\n\nResponse to Recommendation 13\n\nSSA agrees with this recommendation and is currently reassessing security roles and\nresponsibilities. Recently, SSA elevated the organizational structure of the entity for\ninformation systems security within the Office of Finance, Assessment and\nManagement. Also, within the Office of Operations, a higher level security oversight\ngroup was formed and there was a reassessment of regional security officer roles to\nemphasize the increased importance of their roles.\n\nRecommendation 14\n\n\xe2\x80\xa2   Assure that the appropriate level of trained resources are in place to develop,\n    implement and monitor the SSA security program;\n\nResponse to Recommendation 14\n\n\n\n\n                                           C-6\n\x0cSSA agrees with this recommendation and has enhanced security training by directing\nadditional funds toward new security training courses for both Headquarters and\nregional security staffs. In addition, the Office of Systems is taking steps to improve its\nsecurity program by obtaining additional expertise via contractor services.\n\nThe additional training and the organizational refocusing discussed above will ensure\nthe appropriate level of trained resources are in place to develop, implement and\nmonitor the SSA security program.\n\nRecommendation 15\n\n\xe2\x80\xa2   Enhance and institutionalize an entity-wide security program that facilitates\n    strengthening of LAN and distributed systems\xe2\x80\x99 security;\n\nResponse to Recommendation 15\n\nSSA agrees with the recommendation and has been working diligently on improvements\nin this area. SSA will continue to enhance and institutionalize the entity-wide security\nprogram through a series of enhancements to the mainframe, LAN and distributive\nsystems. The enhancements will include: improved monitoring of access controls,\nparticularly in field activities; full implementation of the Enterprise Security Interface;\nadministrative monitoring and penetration testing.\n\nRecommendation 16\n\n\xe2\x80\xa2   Review and certify system access for all users;\n\nResponse to Recommendation 16\n\nSSA agrees with this recommendation and continues to make progress in this area.\nThe Office of Systems continues to work aggressively to adjust access rights under its\nStandardized System Profile Project.\n\nRecommendation 17\n\n\xe2\x80\xa2   Enhance procedures for removing system access when employees are transferred\n    or leave the agency;\n\nResponse to Recommendation 17\n\nSSA agrees with this recommendation and will continue to improve our procedures and\nthe comprehensive processes already in place for removing system access when\nemployees are transferred or leave the Agency.\n\n\n\n\n                                            C-7\n\x0cRecommendation 18\n\n\xe2\x80\xa2   Decrease vulnerabilities in the mainframe operating system configuration;\n\nResponse to Recommendation 18\n\nSSA agrees with this recommendation and will continue to evaluate our mainframe\noperating system configuration and initiate changes to protect against threats, both\ndeliberate and nonintentional.\n\nRecommendation 19\n\n\xe2\x80\xa2   Implement the mainframe monitoring process;\n\nResponse to Recommendation 19\n\nSSA agrees with this recommendation. As acknowledged earlier in the report, SSA has\nestablished the SMART Report, which is distributed to the security officers responsible\nfor the groups using the systems. While most users are in non-Headquarters offices, all\nusers, including those in central office, are tracked and monitored. Procedures have\nbeen distributed which focus the reviews on specific types of transaction scenarios,\nthereby making the SMART system a more useful security management and\nenforcement tool. We agree that additional enhancements for increased use of the\nreport can be made both in the field and in central office. We will continue to improve\nthe use of the report to monitor inappropriate access to SSA\'s systems.\n\nRecommendation 20\n\n\xe2\x80\xa2   Finalize accreditation and certification of systems;\n\nResponse to Recommendation 20\n\nSSA agrees with this recommendation and either certified or recertified all of SSA\'s\nsensitive systems in July 1999.\n\nRecommendation 21\n\n\xe2\x80\xa2   Develop and implement an ongoing entity-wide information security compliance\n    program; and\n\nResponse to Recommendation 21\n\nSSA agrees with this recommendation and has a number of existing and planned\nprograms to monitor compliance with security policies and procedures. In addition to\nautomated controls, SSA also monitors compliance through programmatic and systems\naudits, financial systems reviews, and other internal studies and reviews.\n\n\n                                            C-8\n\x0cSSA has make progress in developing the Comprehensive Integrity Review Process\n(CIRP) system that will consolidate integrity review functions into a single automated\nfacility where transactions will be screened against specific criteria. The criteria include\ncross-application criteria and can be changed to concentrate on emerging trends. SSA\nremains committed to ongoing enhancement and implementation of the CIRP system.\n\nRecommendation 22\n\n\xe2\x80\xa2   Strengthen physical access controls at non-headquarters sites.\n\nResponse to Recommendation 22\n\nSSA agrees with this recommendation and is committed to strengthening security at\nnon-Headquarters sties. We are in the process of enhancing the badging procedures\nand policy enforcement in the regions and other major non-Headquarters facilities. In\naddition, the Agency, through its security tactical plan, has been working to increase\nphysical security at the National Computer Center (NCC) and SSA facilities around the\ncountry.\n\n\nImprovement Area 4--Three of SSA\'s performance measures could better reflect\nagency performance.\n\nPerformance Measure #3\xe2\x80\x94Percent of initial SSI aged claims processed within 14 days\nof filing.\n\nRecommendation 25\n\nWe recommend that the performance measure be redefined so that it does not expose\nthe agency to such a high degree of outside factors, thus placing the responsibility to\nperform solely on SSA.\n\nResponse to Recommendation 25\n\nWe do not believe this performance measure should be redefined. We understand that\nthere are some elements of this performance measure that are not within our control;\nhowever, SSA is comfortable with making the commitments contained therein. In\naddition, we believe that this measure is meaningful to the \xe2\x80\x9cexternal customer.\xe2\x80\x9d\n\n\nImprovement Area 5--GPRA documents prepared for external evaluation of SSA\nperformance do not clearly indicate the sources of the performance measures.\n\n\n\nRecommendation 26\n\n\n\n                                            C-9\n\x0cWe recommend that SSA develop clear and concise descriptions of each performance\nmeasure\'s source.\n\nResponse to Recommendation 26\n\nWe agree that reporting documents prepared for public consumption should contain, in\nlay terms, clear descriptions of the sources of our performance measures. We will\nconsult with your office to determine where you believe this is not the case. In addition,\nwe would note that, our documents comply with the requirements of GPRA with regard\nto appropriate level of documentation of the sources for external audiences. The A-11\nguidance specifically recommends the following information on data sources:\n\n\xe2\x80\xa2   The current existence of relevant baseline data, including the time-span covered by\n    trend data;\n\xe2\x80\xa2   The expected use of existing agency systems in the collection and reporting of data;\n\xe2\x80\xa2   The source of the measured data;\n\xe2\x80\xa2   Any expected reliance on an external source(s) for data, and identification of the\n    source(s); and\n\xe2\x80\xa2   Any changes or improvements being made to existing data collection and reporting\n    systems or processes to modify, improve, or expand their capability.\n\nSSA\xe2\x80\x99s FY 2000 Annual Performance Plan meets all these requirements.\n\nWhere additional, technical detail describing underlying processes and programmatic\nsystems that produce the reported metrics are needed by OIG and GAO auditors, we\nwill continue to make this detail available.\n\n\nImprovement Area 8--The Cost Analysis System\'s (CAS) procedural and systems\ndocumentation have not been updated.\n\nRecommendation 31\n\nWe recommend that DCA explore alternatives for acquiring the resources needed to\nupdate the existing CAS procedural and systems documentation, and to obtain\nprocedural documentation for the replacement systems.\n\nResponse to Recommendation 31\n\nThis recommendation was included as a recommendation contained in PwC\xe2\x80\x99s FY 1998\nManagement Letter, Part 2.\n\nWe agree and will pursue alternatives for acquiring the resources needed to update\nCAS procedures, manuals, handbooks and documentation. SSA is also initiating an\neffort to design and implement an agency-wide managerial cost accountability process\nand system which will eventually subsume the functions of the CAS.\n\n\n                                           C-10\n\x0cImprovement Area 9--SSA has systems design and documentation deficiencies.\n\nResponse to Recommendations 32 - 34\n\nThese recommendations are equivalent to recommendations contained in PwC\xe2\x80\x99s\nFY 1998 Management Letter, Part 2.\n\nRecommendation 32\n\nWe recommend the following:\n\n\xe2\x80\xa2   SSA should complete implementation of it\'s Validation Transaction Tracking System\n    (VTTS) and continue with its plan to automate the process for submitting System\n    Release Certification (SRC) forms\n\nResponse to Recommendation 32\n\nWe agree and believe the first portion of this recommendation is complete. Systems\nbegan using VTTS in 1996 for selected validations. In October 1998, its use became\nmandatory for all validations. VTTS has been converted to SQL and is available for all\nsystems. Evaluation will continue to make it more useful and flexible.\n\nTarget dates for automating the SRC forms submission process are now in place.\nPrototype automated change control procedures are currently being tested and\nevaluated which will satisfy the second portion of this recommendation. We expect to\ncomplete evaluation of the prototype design by Spring 1999. (The prototype evaluation\nwas staged to include various life cycle development projects, e.g., new software\ndevelopment (online and batch), maintenance, cyclical projects.) We are currently\nsetting up the evaluation of a maintenance type project.\nUpon completion of the prototype evaluation, design changes resulting from the\nevaluation will be incorporated into the automated procedures, software changes to this\nprocess will be made, and we will then roll out the process on a project by project basis.\nWe expect to begin roll out by late Summer 1999.\n\nRecommendation 33\n\n\xe2\x80\xa2   SSA should complete implementation of Platinum\'s Process Engineering Tool (PET)\n    and institutionalize Carnegie Mellon\'s Software Engineering Institute\'s Capability\n    Maturity Model (CMM) methodology\n\n\n\nResponse to Recommendation 33\n\nWe agree but believe it is too early in the implementation process to provide a date for\ncomplete implementation.\n\n\n                                           C-11\n\x0cPresently, SET standards require documenting software changes. Nevertheless, we\nare developing a more robust mechanism to support SSA\xe2\x80\x99s Information Technology (IT)\ninfrastructure.\n\nWe are committed to software process improvement using Carnegie Mellon\xe2\x80\x99s Capability\nMaturity Model (CMM). We have also procured the PLATINUM Technology, Inc.\xe2\x80\x99s\nProcess Engineering Tool (PET). When fully implemented, PET will replace and expand\nupon the foundation built by SET.\n\nWith PET integrated within our CMM approach, SSA is building the foundation for a\ncomprehensive software process improvement infrastructure that goes well beyond the\nobjectives of SET. This infrastructure will create an environment that encourages,\nsupports and provides assurance that we are continuously making improvements in the\nquality of software, productivity of the software development staff, and timeliness of\nsoftware delivery. This will be done by improving project management skills and\napproaches; defining IT Processes based on SSA and industry best practices;\nsupporting the use of metrics; and continuously improving IT processes.\n\nThree CMM pilot projects are well underway and using SSA developed documented\nprocedures required for compliance with CMM Level 2 Key Process Areas (KPAs).\nKPAs indicate where an organization should focus to improve its software process and\nidentify the issues that must be addressed to achieve the next maturity level. The KPAs\nat Level 2 focus on the software project\xe2\x80\x99s concerns related to establishing basic project\nmanagement controls. These KPAs are:\n\n\xe2\x80\xa2   Requirements management\n\xe2\x80\xa2   Software project planning\n\xe2\x80\xa2   Software project tracking and oversight\n\xe2\x80\xa2   Software subcontract management\n\xe2\x80\xa2   Software quality assurance\n\xe2\x80\xa2   Software configuration management\n\nProcesses for all of these KPAs have been developed for iterative lifecycle projects and\nare available to the pilot project teams over the Web and in the PET tool. DCS is in the\nprocess of identifying additional similar \xe2\x80\x9crollout\xe2\x80\x9d projects to begin in 1999, which will use\nthese processes to achieve CMM Level 2 compliance. In addition, processes will be\ndeveloped and pilots initiated in 1999 for the following types of project:\n\n\xe2\x80\xa2   Programmatic CICS and Batch\n\xe2\x80\xa2   Administrative Development\n\xe2\x80\xa2   Maintenance without established baselines\n\xe2\x80\xa2   Legislative and Notices\n\nThese processes will be developed using the PET tool and its rich repository of best\npractices and process techniques as the delivery mechanism for CMM. It will be\navailable to the projects over the WEB.\n\n\n                                            C-12\n\x0cRecommendation 34\n\n\xe2\x80\xa2   SSA should update its System Security Handbook (Chapter 10 on Systems Access\n    Security) to address all of the acceptable forms for granting access to SSA\xe2\x80\x99s\n    computer systems and data\n\nResponse to Recommendation 34\n\nWe agree. Chapter 10 of the its System Security Handbook lists the SSA-120 as the\nonly security form acceptable. There may be other non-security forms being used for\nnon-security purposes, but they are not appropriately included in the SSH.\n\n\nImprovement Area 10--SSA has a number of deficiencies in their systems\ncontingency plan.\n\nResponse to Recommendations 35 \xe2\x80\x93 40\n\nThese recommendations are direct reprints of recommendations contained in PwC\xe2\x80\x99s\nFY 1999 report on management\'s assertion about the effectiveness of internal control.\n\nRecommendation 35\n\nAs previously stated in the FY 1999 Accountability Report, we recommend that SSA:\n\n\xe2\x80\xa2   Finalize the list of critical SSA workloads and fully test the plans for recovering each\n    workload;\n\nResponse to Recommendation 35\n\nSSA agrees with this recommendation. SSA recently reevaluated and confirmed its\ncritical workloads. Testing that will determine recoverability of all identified critical\nworkloads is scheduled for July 2000.\n\nRecommendation 36\n\n\xe2\x80\xa2   Establish RTOs for each critical workload;\n\n\n\nResponse to Recommendation 36\n\nSSA agrees with this recommendation. It is SSA\'s goal to provide users with a fully\nintegrated set of software to process each critical workload as rapidly as possible. As\npart of our July 2000 test, we plan to assess and determine realistic timeframes and\nsequences for restoring critical workloads. These objectives will be incorporated into\n\n\n                                            C-13\n\x0cthe next iteration of the Disaster Recovery Plan (DRP). Subsequent DRP iterations will\ninclude timeframes and other supporting information.\n\nRecommendation 37\n\n\xe2\x80\xa2   Establish recovery priorities for all systems and applications (mainframe and\n    distributed);\n\nResponse to Recommendation 37\n\nSSA agrees with this recommendation and continues to work to establish recovery\npriorities for all mainframe and distributed systems and applications. DRP identifies the\nrecovery sequence of all mainframe workloads. We plan to determine realistic\ntimeframes for reestablishing access to these workloads. In addition, SSA will work to\nfurther define the recovery of the distributed workloads.\n\nRecommendation 38\n\n\xe2\x80\xa2   Update contingency plans for headquarters;\n\nResponse to Recommendation 38\n\nSSA agrees with this recommendation. In compliance with Presidential Decision\nDirective Number 67, Enduring Constitutional Government and Continuity of Operations\nPlan, SSA has convened an agencywide workgroup to develop an infrastructure for\ncontingency planning. This includes defining organizational roles and responsibilities,\nessential operations and staffing, training, maintenance, etc. The actions\nrecommended by the workgroup and approved by SSA management will be\nincorporated in to the Agency Contingency plan.\n\nRecommendation 39\n\n\xe2\x80\xa2   Finalize and test SSA\xe2\x80\x99s ultimate strategy for implementing and maintaining alternate\n    processing facilities; and\n\nResponse to Recommendation 39\n\nSSA agrees with this recommendation. Our current IAA with GSA provides SSA with a\nlong-term, alternate facility supplied through a GSA contract. These provisions will be\nimplemented and provide SSA access to the site for 1 year should a catastrophic event\nleave the NCC uninhabitable for longer than 6 weeks. SSA annually tests the use of\nalternate facilities when conducting its disaster recovery test of NCC operations. The\nextent of these tests is limited by test time constraints, the smaller configuration used for\ntesting, availability of personnel and other such factors.\n\nOver the years, SSA has gained significant experience in installing and running its\n\n\n                                            C-14\n\x0csystems on a wide variety of hardware during disaster recovery tests and benchmarking\nnew computing platforms. We believe this experience has resulted in the development\nof reliable procedures that allow SSA to bring up its systems at any site. This, of\ncourse, does not remove SSA\'s burden of verifying that secondary sites are stocked, as\nindicated, by the vendor. We will evaluate the benefits of establishing orientation visits\nat the secondary sites.\n\nRecommendation 40\n\n\xe2\x80\xa2      Finalize and test contingency plans for non-headquarters sites.\n\nResponse to Recommendation 40\n\nSSA agrees with this recommendation and is in the process of reviewing and updating\nall of the Security Action Plans (SAP) that are in place in its non-Headquarters facilities.\nThe Area Directors will review and test the SAPs as they visit each site during the\ncourse of the year. The Agency also conducts field site visits to assess the security that\nis in place in our offices. In the course of these visits, staff will analyze the plans for\neffectiveness and verity that employees are familiar with their content and application.\n\n\nWe also offer the following comments:\n\nImprovement Area 2\n\nBullet 7, \xe2\x80\x9cSSA current practice of obtaining death data does not ensure that this data is\nentered into DACUS accurately, timely and only once (affects the NUMIDENT, MBR,\nand SSR). While this data may not have a direct effect on the performance measures\n(#1, #2, #3, #4, #5, and #9) a noted lack of data verification in these databases\nindicates the possibility that other data lacks integrity.\xe2\x80\x9d\n\nAgency Comment\n\nThis item requires clarification. The report is unclear as to whether the development of\nthe third party reports or the input of SSA-721\xe2\x80\x99s are factors in the reasons for the OIG\nconclusion.\n\nBullet 8, \xe2\x80\x9cA comparison of the MBR, SSR and NUMIDENT identified a large number of\ncases where either the individual was alive and in current pay status on the MBR/SSR\nbut listed as dead on the NUMIDENT, or corresponding records of a given individual\nhad significant differences in dates of death. While this data may not have a direct\neffect on the performance measures (#1, #2, #3, #4, #5, and #9), a noted lack of data\nverification in these databases indicate the possibility that other data lacks integrity.\xe2\x80\x9d\n\n\n\n\n                                           C-15\n\x0cAgency Comment\n\nWe are aware of the problem when the person is listed as deceased on the payment\nrecords but alive on the NUMIDENT. These are usually reinstatement cases. Currently\nreinstatements require two separate actions and in many cases the payment record is\ncorrected and the NUMIDENT remains uncorrected. Release 2 of DACUS, scheduled\nfor implementation in August 2000, will enable the reinstatement to communicate with\nthe DACUS system. This will result in a corrected NUMIDENT.\n\nOther Matters\n\n1. Documents prepared for external evaluation of SSA performance could be improved\nto clearly explain the intended uses of the performance measures to comply with future\nGPRA requirements.\n\nAgency Comment\n\nIn response to the cited General Accounting Office recommendations, SSA is\nexpanding the explanation of the goals and measures and how they contribute to\nevaluating overall SSA performance in the FY 2001 Performance Plan due to Congress\nin February 2000.\n\n2. The nine performance measures are not explicit performance budgeting metrics, but\nare nonetheless appropriate internal performance indicators and are useful to the SSA-\nwide strategic planning process.\n\nAgency Comment\n\nThe statements in this section should be modified to recognize that stakeholders not\nonly include Congressional appropriators, but also customers, policy makers and the\ngeneral public who are looking at the overall effectiveness of the Agency in fulfilling its\nmission. GPRA prescribes that outcome measures will be used for this purpose.\n\n3. SSA is positioned to be a leading performance-based budgeting organization and to\nmeet the future requirements of GPRA.\n\nAgency Comment\n\nWe appreciate the confidence expressed by the OIG in SSA readiness for performance\nbudgeting. The Office of Management and Budget (OMB) has designated SSA as one\nof the government-wide performance budgeting pilot projects provided for in GPRA.\nWithin SSA, the Continuing Disability Reviews program is the specific activity covered\nby this designation. OMB considers the performance budgeting pilot projects to be an\nopportunity to examine the feasibility and potential application of several approaches to\nperformance budgeting. In this context, OMB intends to use performance and resource\ndata provided by the pilots during development of the FY 2001 budget and to report to\n\n\n\n                                            C-16\n\x0cCongress on the results of the pilots no later than March 31, 2001, as required by\nGPRA.\n\nAppendix A, Background, GPRA\n\nThis section should state clearly that the requirements of GPRA for Agency\nperformance plans and Agency performance reports were not in effect until FY 1999. It\nshould also acknowledge that although the report covers FY 1998 performance\nmeasures, the GPRA requirements, including descriptions of the means employed to\nverify and validate the measured values used to report on program performance, were\nnot in effect at that time.\n\nAppendix A, SSA\xe2\x80\x99s Performance Measures\n\nThe last paragraph should read \xe2\x80\x9cFY 1997-2002 strategic plan, \xe2\x80\x9cKeeping the Promise.\xe2\x80\x9d\n\n\n\n\n                                          C-17\n\x0c                                                                                                                            Appendix D\n\n                          Performance Measure Summary Sheets\n\n\nName of Measure                                            Measure Type          Strategic Goal\n3) Percent of initial SSI aged claims processed            Percentage            Goal: To deliver customer-responsive, world-class\nwithin 14 days of filing                                                         service.\n                                                                                 Objective: To raise the number of customers who\n                                                                                 receive service and payments on time.\n\nDefinition                                                                                              Purpose\nThis percentage reflects the number of Initial SSI Aged applications completed (approved or             This measure serves to\ndenied) through the SSA operational system before the first regular continuing payment is due (or       improve the processing of SSI\nnot more than 14 days from the filing date, if later), divided by the total number of SSI Aged claims   aged claims in order to better\nprocessed for the year.                                                                                 serve the customer (the aged\n                                                                                                        SSI applicant). Specifically,\n                                                                                                        its\xe2\x80\x99 objective is to increase the\n                                                                                                        number of customers who\n                                                                                                        receive service and payments\n                                                                                                        on time. This measure also\n                                                                                                        aids the Social Security\n                                                                                                        Administration in budgeting in\n                                                                                                        order to obtain funds from\n                                                                                                        Congress.\n\nHow Computed                                               Data Source           Data Availability      Data Quality\nThe calculation of processing time begins with the         MSSICS                Some FY 1998           Acceptable\nday the application is filed (the effective filing date)   Batch System          Available, FY 1999\nor the protective filing date and ends with the            WMS                   Available\nInitial Decision Date (IDD). The calculation of the        T16\nperformance measure is x/y where x=the the                 SICCR\n\n\n                                                                        D-1\n\x0cnumber of initial SSI aged claims processed within\n14 days of filing date and y= the total number of\nSSI Initial aged claims processed\n\nExplanatory Information                                                                            Report Frequency\n                                                                                                   Monthly\n\nTarget Goal                                          Division                Designated Staff Members\n66%                                                  Office of Information   Jane Sonn\n                                                     Management\n\nEDP AUDITOR Testing and Results\nEDP Auditor testing was performed to ensure controls were in existence and operating effectively within the following processes:\n\xe2\x80\xa2 Daily transmission of SSI Aged Claims to the SSI Claims Exception Control System\n\xe2\x80\xa2 Monthly transmission of SSI Aged Claims data for completed claims to the SSI Claims Reporting System (SSICR)\n\xe2\x80\xa2 GETSSICR extraction process by OIM\n\xe2\x80\xa2 Applicable application controls\n\xe2\x80\xa2 Applicable general computer controls\n\xe2\x80\xa2 Resolution of DACUS (Death, Alert, and Control Update System) exception file\n\xe2\x80\xa2 Data input for DACUS\n \xe2\x80\xa2 Current procedural and systems documentation for CAS\n\xe2\x80\xa2 Formation of specific systems requirements for different major development projects, routine maintenance, and cyclical changes\n\xe2\x80\xa2 Information protection control structure (system security)\n\xe2\x80\xa2 SSA\'s systemic contingency plan\n\xe2\x80\xa2 Full documentation of program changes evidencing user approval and testing\n \xe2\x80\xa2 SSA\'s System Security Handbook\n\nSee results of engagement entitled "SSA has a number of data integrity deficiencies", " SSA\'s system environment has security\ndeficiencies," "SSA has systems design and documentation deficiencies," and "SSA has a number of deficiencies in their systems\ncontingency plan."\n\n\n\n\n                                                                 D-2\n\x0cCAATs Testing and Results\n\xe2\x80\xa2   Monthly data obtained via the GETSSICR module matches the monthly total for SSI Aged Claims identified in the SSICR area;\n\xe2\x80\xa2   Traced from WMS to SSI Exception Control System to ensure accuracy of transmittal;\n\xe2\x80\xa2   Performed test on segment 16 of the SSR in order to determine the percentage of SSI Aged Claims processed in 15 days or\n    more of filing date;\n\xe2\x80\xa2   Evaluated data transmittal from monthly SSICR file to the GETSSICR module;\n\xe2\x80\xa2   Evaluated data transmittal from the SSR system to the SSI Claims Exception Control System;\n\xe2\x80\xa2   Compared the NUMIDENT and the SSR to ensure that individuals listed as alive and in current pay status on the SSR are not\n    listed as dead on the NUMIDENT; and\n\xe2\x80\xa2   Compared the NUMIDENT, MBR, and SSR to ensure that corresponding records for a given individual have the same date of\n    death.\n\nSee results of engagement entitled "SSA has a number of data integrity deficiencies."\n\nProcess Improvement Testing and Results\n\xe2\x80\xa2   Traced performance measure count per SSICR (item #304) to the FY 1998 Accountability Report.\n\nSee results of testing entitled "SSA lacks sufficient performance measure process documentation, and does not retain documents to\nsupport the FY 1998 amounts," " This performance indicator could better reflect agency performance," and "GPRA documents\nprepared for external evaluation of SSA performance do not clearly indicate the sources of the performance measures."\n\n\n\n\n                                                                D-3\n\x0cName of Measure                                     Measure Type              Strategic Goal/Objective\n4) SSI aged claims processed                        Workload                  Goal: To deliver customer-responsive, world class\n                                                                              service\n                                                                              Objective: To positioning the Agency\'s resources and\n                                                                              processes to meet emerging workloads.\n\nDefinition                                                                                          Purpose\nThis includes the total number of SSI aged claims processed for fiscal year 1998 from the time a    To improve the processing of\nclaim is established (the effective filing date or protective filing date) to the IDD (Initial      SSI aged claims in order to\nDetermination Date. It includes both approved and denied claims, and excludes pending claims.       better serve the customer (the\n                                                                                                    aged SSI applicant) as well as\n                                                                                                    to aid in budgeting to obtain\n                                                                                                    funds from Congress.\n\nHow Computed                                        Data Source                Data Availability    Data Quality\nTotal number of SSI aged claims processed for       MSSICS                     Some FY 1998         Good\nFiscal Year 1998.                                   Batch System               Available, FY 1999\n                                                    WMS                        Available\n                                                    T16\n                                                    SICCR\n                                                    CAS\n\nExplanatory Information                                                                             Report Frequency\n                                                                                                    Monthly\n\n\nTarget Goal                                         Division                   Designated Staff Members\n150,500                                             OFAM, OFPO                 Shirley Hodges\n\n\n\n\n                                                                D-4\n\x0cEDP AUDITOR Testing and Results\nEDP Auditor testing was performed to ensure controls were in existence and operating effectively within the following processes:\n\xe2\x80\xa2 Daily transmission of SSI Aged Claims to the SSI Claims Exception Control System\n\xe2\x80\xa2 Monthly transmission of SSI Aged Claims data for completed claims to the SSI Claims Reporting System (SSICR)\n\xe2\x80\xa2 GETSSICR extraction process by OIM\n\xe2\x80\xa2 Applicable application controls\n\xe2\x80\xa2 Applicable general computer controls\n\xe2\x80\xa2 Resolution of DACUS (Death, Alert, and Control Update System) exception file\n\xe2\x80\xa2 Data input for DACUS\n\xe2\x80\xa2 Current procedural and systems documentation for CAS\n\xe2\x80\xa2 Formation of specific systems requirements for different major development projects, routine maintenance, and cyclical changes\n\xe2\x80\xa2 Information protection control structure (system security)\n\xe2\x80\xa2 SSA\'s systemic contingency plan\n\xe2\x80\xa2 Full documentation of program changes evidencing user approval and testing\n\xe2\x80\xa2 SSA\'s System Security Handbook\n\nSee results of engagement entitled "SSA has a number of data integrity deficiencies", " SSA\'s system environment has security\ndeficiencies," "CAS systems and procedural documentation have not been updated," "SSA has systems design and documentation\ndeficiencies," and "SSA has a number of deficiencies in their systems contingency plan."\n\nCAATs Testing and Results\n\n\xe2\x80\xa2   Monthly data obtained via the GETSSICR module matches the monthly total for SSI Aged Claims identified in the SSICR area;\n\xe2\x80\xa2   Traced from WMS to SSI Exception Control System to ensure accuracy of transmittal;\n\xe2\x80\xa2   Performed test on segment 16 of the SSR in order to determine the percentage of SSI Aged Claims processed in 15 days or\n    more of filing date;\n\xe2\x80\xa2   Compared the NUMIDENT and the SSR to ensure that individuals listed as alive and in current pay status on the SSR are not\n    listed as dead on the NUMIDENT; and\n\xe2\x80\xa2   Compared the NUMIDENT, MBR, and SSR to ensure that corresponding records for a given individual have the same date of\n    death.\n\nSee results of engagement entitled "SSA has a number of data integrity deficiencies."\n\n\n\n\n                                                                D-5\n\x0cProcess Improvement Testing and Results\n\xe2\x80\xa2   Traced the performance measure values in the FY 1998 CAS Report to the FY 1998 Accountability Report;\n\xe2\x80\xa2   Traced the performance measure DOWR counts from the FY 1998 DOWR Report to the values in the FY 1998 CAS Report; and\n\xe2\x80\xa2   Traced the performance measure IWMS value for FY 1998 to the FY 1998 DOWR count and CAS Report.\n\nSee results of testing entitled "SSA lacks sufficient performance measure process documentation, and does not retain documents to\nsupport the FY 1998 amounts," and " GPRA documents prepared for external evaluation of SSA performance do not clearly indicate\nthe sources of the performance measures."\n\n\n\n\n                                                               D-6\n\x0c                                               Appendix E\n\nPerformance Measure Process Maps\n\n\n\n         This page intentionally left blank.\n\x0c                                                                   SSI Aged Claims Process\n                          PM #3: Percent of Initial SSI Aged Claims Processed Within 14 Days of Filing Date\n                                PM #4: Total number of SSI Aged Claims Processed during the year\n\n                                                                                        ABAPs are processed through MSSICS\n                                                                                        and are selected via client request or                   If applicant does not meet preliminary\n                            This corresponds to protective\n                                                                                        at the discretion of local management\n         Start              filing date of application                                                                                           criteria, he/she receives either local\n                                                              Application is                                                                     denial notice or Abbreviated Application\n                                                             taken over the         1A                                                           (ABAP)\n                                                              phone by CR                                                             1A              Form L991 gives applicant\n                                                                                                                   Abbreviated\n                          SSA Representative                                                                                                          60 days from protective\n                                                                                                                   Application\n Applicant makes           enters preliminary                                                                       (ABAP)                            filing date to reapply\n contact with SSA         claimant information\n                                in ICDB                                                                                                   Field office\n                                                                                     CR does\n                                                            Applicant comes                                 Applicant                  generates Form\n                                                                                    preliminary\n                                                            into FO for Initial                          does not meet                 L991 for applicant            End\n                                                                                   assessment\n                                                               Interview                                 eligibility req\'ts            & saves copy for\n     Contact can be through field                                                   interview\n                                                                                                                                           60 days\n     office visit, call on local field\n     office phone number, 800            This occurs when a                                                                                         Cases that receive local\n     number, contact from an\n                                         claimant calls over the 800                                                                                denial notices are not\n     advocacy group or direct contact\n                                         number (this is also referred                                                                              tracked further by SSA\n     by SSA employee via lead from\n                                         to as a lead).                                                                                             systems.\n     concerned individual                             Applicant meets\n                                                        eligibility reqts\n\n             CR reviews                                                                                                           CICS performs surface\n                                                                                                           CICS creates\n              preliminary                                                          CR manually                                      and relational edit\n                                                                                                           Batch Process\n            application and                            2%                         enters data into                                   checks & sends                  No\n                                                                                                          data transaction\n          verifies and copies                                                          CICS                                        exceptions to holding           Exception\n                                                                                                                files\n              documents                                                                                                                    file\n\n                 98%                                                                                                             Exception\n\n                                  CR completes data\n         CR enters applicants                                                     MSSICS performs                    CICS sends\n                                  collection screens          MMSICS reads                                                                     FO resolves\n1A        SSN into MSSICS                                                         relationship and                 Exception Report                                  2B\n                                    with applicant           and updates ICDB                                                                   exception\n           (Index Check)                                                           surface edits                    to field office\n                                        input\n\n\n\n\n            MSSICS checks          MSSICS creates                                                                                               CICS sends\n               identifying         new pending file          MSSICS notifies                                                                 exception to batch\n                                                                                   2A\n              information            in MSSICS              WMS of new claim                                                                  process after 3\n           against NUMIDENT           database                                                                                               days of no activity\n\n\n\n\n                                                                                  D-2\n\x0cD-3\n\x0c                                                       SSI-Aged Process (Continued)\n       2A                                                                                                                 CR sends claim\n                                                                                                                           to Batch with\n                                                                                                                       a holding code (H80)\n\n\nMSSICS generates                                                                    CR Adjudicates            CR edits pending                                 BTSSR process\n                              Applicant reviews                                                                                        CR sends               converts MSSICS\n application with    FO          and signs                CR receives              Application based          file & builds SSR       application to               data into\n    applicant     Interview     application               application                on MSSICS                 online (SSR edit       Batch System             transaction files\n   information                                                                        guidance                      check)\n                                                                                                                                                                  for Batch\n\n                                   Applicant can also take        The Batch System is also referred to as\nPhone Interview\n                                   signed application to FO           the SSI Initial Claims Update System\n\n                       Applicant reviews                  CR copies,                                                                  Batch System\n  CR reviews          and signs application                 certifies                                          Claim is sent to\n application and      and mails to CR along             documents and                         2B              SSI Batch Update        performs edit             Batch System\nmails it to applicant   with requested                 mails/returns them                                          System            checks for CICS          indexes records\n                                                                                                                                         cases\n                           documents                     to the client.\n\n\n\n\n                                                      Batch System                                                                     Batch System\n                                                                                    Batch System updates                                                       Batch System\n  Batch System         Batch System                 generates & sends              WMS & passes claim data             Next          receives results              updates\n  searches for                                    finders to NUMIDENT                                                                 of NUMIDENT &\n                     creates new SSR                                                  to SSI Initial Claims          Batch Run                                verification code\n  existing SSR                                     & MBR for interface                                                                 MBR interface\n                                                         checks                    Exception Control System                               checks                    in SSR\n\n\n\n\n                       Batch System\n                       creates & co-\n                     locates new SSR                                                            Batch System              Batch System\n                     with existing SSR                                                        performs eligibility       computes benefit\n                                                                                                                                                  3A\n                                                                                              calculation for E02          & payment\n                                                                                                & CICS cases                schedule\n\n\n                                                                                                       Edit\n                           Exceptions (edits and / or alerts) can be triggered                                             SSA resolves            CR revises\n                            from the NUMIDENT & MBR interface checks, the                                                                                                  2B\n                                                                                                                            discrepancy          application data\n                           edit checks, or the eligibility calculation. The type\n                              of exception is conveyed using the Verification\n                            code in the SSR. Edits correspond to claims that\n                              are too discrepant to process, whereas claims\n                                       with alerts will go through despite the                                             SSA does not\n                                                                 discrepancy.                                                  resolve                  End\n                                                                                                                            discrepancy\n\n\n\n\n                                                                              D-4\n\x0c                                                        SSI-Aged Process (Continued)\n\n            3A\n                                                                          The Batch System is also referred to as the SSI\n                                                                                                                                    SSICR is also known as T16\n                                                                          Initial Claims Update System\n\n\n                                 Initial           Batch System provides             SSI Claims               SSI Claims              SSI Claims                zssicpt file\n     Award or Denial      Determination Date       status updates to WMS         Exception Control       Exception Control        Exception Control         transferred to SSI\n    Notice is Triggered   (IDD) is posted to       & SSI Claims Exception        writes completed          creates monthly        copies monthly file        Claims Reporting\n                               the SSR                 Control System            claims to daily file   file of transactions      data to zssicpt file        System (SSICR)\n\n                                                                                                                      Filename = zstamps,\n                                                   Filename = zstats, which includes all\n                                                                                                                      which consolidates one month of zstats\n                                               transactions completed on the given day\n                                                                                                                      files\n\n\n\n\n       PM #4                                                         PM #3\n\n\n                                                                                               SSICR tabulates % of\n                                                               SSICR calculates\n                                                                                                  cases meeting              OIM obtains PM #3           OIM provides PM# 3 to\n                                                           processing time for each\n  SSICR tabulates                                                                             performance objective         using the GETSSICR           OFPO for inclusion in\n                                                          completed claim & compares\ncounts for completed                                                                            & places in SSICR            module (Item #304)          Accountability Report\n                                                           to performance objective\n claims & places in                                                                                 database\n  SSICR Database\n\n\n\n                                                       OIM obtains DOWR                                   CAS computes PM\n  SSICR transfers         OIM obtains DOWR 8                                                                                         DCA uses PM #4 from\n                                                      65 from IWMS using         OIM enters DOWR         #4 by adding DOWR\n  counts to IWMS          from IWMS using the                                                                                        CAS (Code #0101) for\n                                                        the GETWORK               8 and DOWR 65              8 & DOWR 65\n (Codes #00152 &            GETWORK module                                                                                                inclusion in\n                                                          module (Item               into CAS            (placed in CAS Code\n     #00352)                 (Item #00152)                                                                                           Accountability Report\n                                                            #00352)                                             #0101)\n\n  DOWR 8 denotes the District\n                                                                  DOWR 65 denotes the District\n   Office counts for SSI-Aged\n                                                                   Office counts for SSI-Aged\n    applications (non-welfare\n                                                                  applications (welfare reform)\n                      reform)\n                                                                                                                                                                End\n                                                                               D-5\n\x0c'